From ea30bcbf58f1d47b809db60f946c66f445d06a03 Mon Sep 17 00:00:00 2001
From: Alex Todorov <alex.todorov@gluwa.com>
Date: Wed, 20 Nov 2024 14:39:33 +0200
Subject: [PATCH] Tell gitleaks to scan only commits in the current PR

---
 .github/workflows/mega-linter.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
index ef145b874..b8f09023a 100644
--- a/.github/workflows/mega-linter.yml
+++ b/.github/workflows/mega-linter.yml
@@ -42,6 +42,10 @@ jobs:
           # All available variables are described at https://megalinter.io/latest/configuration/
           # and configured in .mega-linter.yml
           VALIDATE_ALL_CODEBASE: true
+          # tells gitleaks to scan only commits in the current PR without setting VALIDATE_ALL_CODEBASE==false
+          # which has other side effects. See https://github.com/oxsecurity/megalinter/issues/2487 and
+          # https://megalinter.io/8.2.0/descriptors/repository_gitleaks/
+          REPOSITORY_GITLEAKS_ARGUMENTS: --log-opts '--no-merges --first-parent ${{ github.event.pull_request.base.sha }}^..${{ github.event.pull_request.head.sha }}'
           JSON_JSONLINT_FILTER_REGEX_EXCLUDE: (chainspecs/dryRun*)
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}