From cef3d2dc9971e9bcad1bf9415bf66543975f6b1c Mon Sep 17 00:00:00 2001
From: "Peter St. John" <pstjohn@nvidia.com>
Date: Tue, 4 Mar 2025 12:10:27 -0700
Subject: [PATCH] split trufflehog scan into two actions, run on entire repo on
 scheduled event (#696)

Should fix the scheduled nightly tests that are currently failing on the
trufflehog scan step.

Signed-off-by: Peter St. John <pstjohn@nvidia.com>
---
 .github/workflows/unit-tests.yml | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index 3e05f9cde8..5e3bb91746 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -37,12 +37,20 @@ jobs:
       # For `push` events, (i.e., post-merge tests), we run trufflehog on the entire main branch by setting the base to
       # ''. For some reason, the default behavior doesn't work well with the merge_group event, so we need to set these
       # manually.
-      - uses: trufflesecurity/trufflehog@main
+      - name: Run Trufflehog scan (for push to main)
+        id: push_scan
+        if: github.event_name == 'push' || github.event_name == 'schedule'
+        uses: trufflesecurity/trufflehog@main
         with:
-          path: ./
-          base: ${{ github.event_name != 'push' && github.event.repository.default_branch || '' }}
+          base: ''
+          head: HEAD
+
+      - name: Run Trufflehog scan (for PRs)
+        if: steps.push_scan.outcome == 'skipped'
+        uses: trufflesecurity/trufflehog@main
+        with:
+          base: ${{ github.event.repository.default_branch }}
           head: HEAD
-          extra_args: --only-verified
 
   build-bionemo-image:
     needs: pre-commit