Greptile Summary

This PR fixes a shallow-checkout race condition in the secrets CI job where a missing base commit caused the detect-secrets step to silently fall back to a full-repository scan instead of a targeted diff. It also hardens all inline GitHub context expressions against shell injection by moving them into env: variables.

Key changes:

• Adds a new ensure-base-commit composite action step (runs only on pull_request events) that progressively deepens the shallow clone (25 → 100 → 300 commits, then full ref) until the PR base SHA is reachable — preventing the fallback to --all-files in the common case.
• Replaces inline ${{ github.event.pull_request.base.sha }} and ${{ github.event.before }} shell interpolations with env: variables (PR_BASE_SHA, PUSH_BEFORE_SHA), following GitHub Actions security best practices.
• Replaces ${{ github.ref }} / ${{ github.event_name }} with the already-available default environment variables $GITHUB_REF / $GITHUB_EVENT_NAME, which is correct and removes unnecessary expression interpolation inside run: blocks.
• Note: The composite action exits 0 even when all fetch attempts fail, so in extreme edge cases the full-scan fallback in detect-secrets can still be triggered. This is graceful degradation rather than a hard failure, but the PR title "avoid full-scan fallback" slightly overstates the guarantee.

Confidence Score: 4/5

• Safe to merge — changes are scoped entirely to the secrets CI job with no production code impact.
• The logic is correct: the ensure-base-commit step runs before both diff-dependent steps, the env: variable approach is a strict improvement over inline expression interpolation, and default GitHub Actions vars ($GITHUB_REF, $GITHUB_EVENT_NAME) are used correctly. The only minor concern is that the composite action silently exits 0 on complete failure, meaning the full-scan fallback it aims to prevent can still occur in rare edge cases — but this is intentional graceful degradation and not a regression.
• .github/actions/ensure-base-commit/action.yml — review whether the silent exit 0 on unresolvable base SHA matches the intended failure policy.

_{Last reviewed commit: ec7cb66}

Code is ready to review

Closing this PR because the fix has already landed upstream in main (CI workflow now includes the base-commit fetch + scoped detect-secrets behavior). Keeping this open would duplicate the existing upstream change. Thanks!

Closing as already fixed upstream in main.