Fix TruffleHog secret scan failing when BASE and HEAD are identical

[Copilot]

TruffleHog fails with "BASE and HEAD commits are the same" because the workflow used github.event.repository.default_branch (a branch name) as the base commit SHA, causing it to resolve to the same commit as HEAD in push and scheduled events.

Changes

Split the secret scan into three conditional steps using correct context variables per event type:

• Pull requests: github.event.pull_request.base.sha → github.event.pull_request.head.sha
• Push events: github.event.before → github.sha
• Scheduled runs: Full scan with no base/head (scans entire repository)

- name: 🔍 TruffleHog Secret Scan (PR)
  if: github.event_name == 'pull_request'
  uses: trufflesecurity/trufflehog@main
  with:
    base: ${{ github.event.pull_request.base.sha }}
    head: ${{ github.event.pull_request.head.sha }}

Original prompt

what is this on a secrets scan?

Error: BASE and HEAD commits are the same. TruffleHog won't scan anything. Please see documentation (https://github.com/trufflesecurity/trufflehog#octocat-trufflehog-github-action).
Error: Process completed with exit code 1.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.