Summary

In PR workflows, the secrets job computes changed files using github.event.pull_request.base.sha, but checkout uses fetch-depth: 1.

When the base commit is not present locally, the script falls back to pre-commit run --all-files detect-secrets, which can fail on known baseline noise unrelated to the PR diff.

Evidence

Recent PR run on #33298:

• secrets step logs: Falling back to full detect-secrets scan.
• checkout config shows fetch-depth: 1

Expected

PR secrets job should reliably scan changed files only (or fetch enough history to do so), and avoid full-repo fallback caused purely by shallow history.

Proposed fix

• Add ./.github/actions/ensure-base-commit before the secrets diff path on PR events
• Use env-indirected GitHub context values in shell (PR_BASE_SHA, PUSH_BEFORE_SHA) to keep zizmor/template-injection checks clean

Related

• Prior closed attempt: fix: unblock check and secrets CI failures #38353
• Follow-up fix PR: (to be linked)