diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index f5215de8..000a5c74 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -152,14 +152,22 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout + if: github.event_name != 'pull_request' + uses: actions/checkout@v2 + with: + submodules: false + fetch-depth: "0" + - name: Checkout for PR + if: github.event_name == 'pull_request' uses: actions/checkout@v2 with: submodules: false fetch-depth: "0" + ref: ${{ github.head_ref }} - name: Trufflehog Actions Scan - uses: edplato/trufflehog-actions-scan@v0.9j-beta + uses: edplato/trufflehog-actions-scan@v0.9l-beta with: - scanArguments: "--max_dept 50 -x .github/workflows/exclude-patterns.txt" + scanArguments: "--max_dept 50 -x .github/workflows/exclude-patterns.txt --allow .github/workflows/trufflehog-false-positive.json" semgrep: runs-on: ubuntu-latest