diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 45d2ce8..7815743 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,6 +13,11 @@ permissions: security-events: write packages: write +# Run Node20-based actions on Node24 (GitHub force-migrates 2026-06-16). Silences the +# deprecation warnings and future-proofs the workflow. +env: + FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" + jobs: secret-scan: name: Secret Scan (TruffleHog) @@ -27,8 +32,11 @@ jobs: uses: trufflesecurity/trufflehog@main with: path: ./ - base: ${{ github.event.repository.default_branch }} - head: HEAD + # On a PR: scan the PR diff. On a push/merge to main: scan the pushed range + # (before..after). The previous default-branch/HEAD config made base==head on + # main pushes, so TruffleHog scanned nothing. + base: ${{ github.event.pull_request.base.sha || github.event.before }} + head: ${{ github.event.pull_request.head.sha || github.sha }} extra_args: --results=verified,unknown quality: