From 88b377ecfb8a8b2b3cb07ef5b6d149a51d12f6a8 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 15 Apr 2026 21:03:05 +0000
Subject: [PATCH] fix: add file package for binary detection, document
 shallow-clone tradeoff

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .woodpecker/run-secret-scan.sh | 4 +++-
 .woodpecker/secret-scan.yml    | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.woodpecker/run-secret-scan.sh b/.woodpecker/run-secret-scan.sh
index 97bcacd..e8d7d5d 100644
--- a/.woodpecker/run-secret-scan.sh
+++ b/.woodpecker/run-secret-scan.sh
@@ -23,7 +23,9 @@ SECRET_PATH_PATTERNS=(
 path_regex=$(printf '%s|' "${SECRET_PATH_PATTERNS[@]}")
 path_regex="${path_regex%|}"
 
-# Get files changed in this PR vs target branch
+# Get files changed in this PR vs target branch.
+# Note: shallow clone (depth 50) may lack the merge base for very large PRs,
+# causing git diff to fail — || true means the gate skips rather than blocks.
 changed_files=$(git diff --name-only --diff-filter=ACMR "origin/${CI_COMMIT_TARGET_BRANCH}...HEAD" || true)
 
 if [ -z "$changed_files" ]; then
diff --git a/.woodpecker/secret-scan.yml b/.woodpecker/secret-scan.yml
index cf9a1c3..7db9c50 100644
--- a/.woodpecker/secret-scan.yml
+++ b/.woodpecker/secret-scan.yml
@@ -28,5 +28,5 @@ steps:
   - name: secret-scan
     image: alpine:3
     commands:
-      - apk add --no-cache bash git grep
+      - apk add --no-cache bash git grep file
       - bash .woodpecker/run-secret-scan.sh