From 0e9b07a029990295e2a41333636e6485327a5a45 Mon Sep 17 00:00:00 2001
From: Chris Evich <cevich@redhat.com>
Date: Thu, 1 Feb 2024 10:25:12 -0500
Subject: [PATCH 1/3] Secret-scanning: Fix newly-opened PR conditional

Signed-off-by: Chris Evich <cevich@redhat.com>
---
 .github/workflows/scan-secrets.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scan-secrets.yml b/.github/workflows/scan-secrets.yml
index 6e122eb18f..f429447d2d 100644
--- a/.github/workflows/scan-secrets.yml
+++ b/.github/workflows/scan-secrets.yml
@@ -86,7 +86,7 @@ jobs:
           after=$(jq -r -e '.after' $GITHUB_EVENT_PATH)
           echo "https://github.com/${{ github.repository }}/compare/${before}...${after}"
 
-      - if: github.event_name == 'opened'
+      - if: github.event.action == 'opened'
         name: Provide URL showing code that needs human eyes (newly opened PR)
         shell: bash
         run: |

From 0a4beea6db36023e7cda744ff63ad3ba3cafb6f9 Mon Sep 17 00:00:00 2001
From: Chris Evich <cevich@redhat.com>
Date: Thu, 1 Feb 2024 11:06:54 -0500
Subject: [PATCH 2/3] Scanning-secrets: Support new-branch/renovate link

Signed-off-by: Chris Evich <cevich@redhat.com>
---
 .github/workflows/scan-secrets.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/scan-secrets.yml b/.github/workflows/scan-secrets.yml
index f429447d2d..38f8344311 100644
--- a/.github/workflows/scan-secrets.yml
+++ b/.github/workflows/scan-secrets.yml
@@ -81,6 +81,12 @@ jobs:
         name: Provide URL showing code that needs human eyes (force-push or merge)
         shell: bash
         run: |
+          if [[ "$before" =~ ^0000+ ]]; then  # Push to new branch (i.e. renovate branch)
+              echo "Please review newly opened branch for secret-leaks:"
+              # The event JSON provides the URL we need
+              jq -r -e '.compare' $GITHUB_EVENT_PATH
+              return 0
+          fi
           echo "Please review force-push or merged-pr changes for secret-leaks:"
           before=$(jq -r -e '.before' $GITHUB_EVENT_PATH)
           after=$(jq -r -e '.after' $GITHUB_EVENT_PATH)

From c5c0799329e55d2a643905312154d13660018a96 Mon Sep 17 00:00:00 2001
From: Chris Evich <cevich@redhat.com>
Date: Thu, 1 Feb 2024 11:28:49 -0500
Subject: [PATCH 3/3] Scan-secrets: Fix PR forcepush detection condition

I have no idea why the `event_name` != `github.event.action`, but in
this case it doesn't.  For consistency with other related condition
checks, use the later over the former.

Signed-off-by: Chris Evich <cevich@redhat.com>
---
 .github/workflows/scan-secrets.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scan-secrets.yml b/.github/workflows/scan-secrets.yml
index 38f8344311..3e0420053b 100644
--- a/.github/workflows/scan-secrets.yml
+++ b/.github/workflows/scan-secrets.yml
@@ -77,7 +77,7 @@ jobs:
       # Provide handy URL for examination of secret leaks for all events that
       # trigger this action.
 
-      - if: github.event_name == 'synchronize' || github.base_ref == ''
+      - if: github.event.action == 'synchronize' || github.base_ref == ''
         name: Provide URL showing code that needs human eyes (force-push or merge)
         shell: bash
         run: |