ci(workflows): fix trufflehog rot (replaces fake SHA + wrong repo path)#45
Conversation
The previous pin (commit cac3d16) used: trufflehog/actions/setup@17456cf5a9c8be7821b4dc568702b5f43650a8ad The SHA is fake (not in trufflesecurity/trufflehog or trufflehog/actions), and the reference name is wrong (trufflehog/actions/ repo 404s). Replaced with the working pattern: trufflesecurity/trufflehog@75add79 (2026-06-05; the same SHA PhenoMCP, PhenoSpecs, phenotype-registry#61, thegent#1096, FocalPoint#100 use.) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
codeant-ai
Bot
added
the
size:XS
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Push to main fails scan
- Removed explicit base/head inputs so TruffleHog auto-detects commit ranges from push.before/after on main pushes instead of comparing the same ref twice.
Or push these changes by commenting:
@cursor push 90d1679f47
Preview (90d1679f47)
diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
--- a/.github/workflows/trufflehog.yml
+++ b/.github/workflows/trufflehog.yml
@@ -21,6 +21,4 @@
- uses: trufflesecurity/trufflehog@75add79b929b263dae147d2e5bcf0daf292165cf
with:
path: ./
- base: ${{ github.event.repository.default_branch }}
- head: HEAD
extra_args: --only-verified --fail --no-updateYou can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit b8988ad. Configure here.
| with: | ||
| path: ./ | ||
| base: ${{ github.event.repository.default_branch }} | ||
| head: HEAD |
There was a problem hiding this comment.
Push to main fails scan
Medium Severity
With push to main enabled, pinning base to the default branch and head to HEAD makes both refs the same commit after checkout. The TruffleHog action treats that as an empty range and exits with an error, so post-merge runs on main fail even when no secrets were introduced.
Reviewed by Cursor Bugbot for commit b8988ad. Configure here.
|
CodeAnt AI finished reviewing your PR. |
1 participant
User description
PR #44 (closed) was already-merged by #43 which pinned a fake SHA. This PR replaces both the fake SHA and the wrong repo path with the working
trufflesecurity/trufflehog@75add79b929b263dae147d2e5bcf0daf292165cf.🤖 Generated with Claude Code
Note
Low Risk
CI-only workflow change; no application runtime, auth, or data-path changes.
Overview
Fixes the Trufflehog secrets scan workflow by dropping the broken
trufflehog/actions/setuppin (including a bad SHA) and the separatetrufflehog githubCLI step that relied onGH_TOKEN.The job now uses the official
trufflesecurity/trufflehogaction at commit75add79b929b263dae147d2e5bcf0daf292165cf, scanning the repo withpath: ./, comparingbase(default branch) tohead: HEAD, and passing--only-verified --fail --no-updateviaextra_args.Reviewed by Cursor Bugbot for commit b8988ad. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Fix the Trufflehog secrets scan workflow
What Changed
Impact
✅ Fewer broken CI runs✅ Reliable secrets scanning✅ Faster detection of verified secrets💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.