From 5236c800746078aca9f8df817dc7d2e96901dc8b Mon Sep 17 00:00:00 2001
From: Melvin PETIT <melvin.petit31@gmail.com>
Date: Mon, 22 Jun 2026 16:17:58 +0200
Subject: [PATCH] ci(security): scan full history on push for TruffleHog

github.event.before equals HEAD on branch creation and no-op pushes, which
makes the TruffleHog action fail with 'BASE and HEAD commits are the same'.
Diff against the default branch only on pull_request; on push scan the full
git history from HEAD instead.
---
 .github/workflows/security.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index a069462..8f8026e 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -48,7 +48,7 @@ jobs:
         uses: trufflesecurity/trufflehog@v3.95.5
         with:
           path: ./
-          base: ${{ github.event_name == 'push' && github.event.before || github.event.repository.default_branch }}
+          base: ${{ github.event_name == 'pull_request' && github.event.repository.default_branch || '' }}
           head: HEAD
           extra_args: --only-verified