@@ -314,7 +314,44 @@ runs:
314314 cat new-ignorefile.txt >> $GITHUB_OUTPUT
315315 echo '```' >> $GITHUB_OUTPUT
316316 echo "EOF" >> $GITHUB_OUTPUT
317-
317+
318+ - name : Create review suggestion for .infisicalignore
319+ uses : actions/github-script@v7
320+ if : env.SECRETS_FOUND == 'true' && env.FORKED == 'false' && inputs.ADD_COMMENT == 'true'
321+ with :
322+ github-token : ${{ inputs.GH_TOKEN }}
323+ script : |
324+
325+ const fs = require('fs');
326+
327+ const suggestion =
328+ fs.readFileSync('new-ignorefile.txt', 'utf8');
329+
330+ const suggestionBlock =
331+ "```suggestion:.infisicalignore\n" +
332+ suggestion +
333+ "\n```";
334+
335+ const pr = context.payload.pull_request;
336+
337+ if (!pr) {
338+ core.info("Not a PR event — skipping review suggestion.");
339+ return;
340+ }
341+
342+ await github.rest.pulls.createReview({
343+ owner: context.repo.owner,
344+ repo: context.repo.repo,
345+ pull_number: pr.number,
346+ event: "COMMENT",
347+ body:
348+ "### Suggested update for `.infisicalignore`\n\n" +
349+ "Apply this suggestion to ignore detected fingerprints:\n\n" +
350+ suggestionBlock
351+ });
352+
353+ core.info("Review suggestion posted successfully.");
354+
318355 - name : Update PR with comment (success)
319356 uses : mshick/add-pr-comment@v3
320357 if : env.SCAN_RAN == 'true' && env.SECRETS_FOUND == 'false' && env.FORKED == 'false' && inputs.ADD_COMMENT == 'true'
@@ -380,9 +417,7 @@ runs:
380417 </details>
381418
382419 > [!TIP]
383- > You can commit the fingerprint list below to automatically create or update `.infisicalignore`:
384-
385- ${{ steps.ignore_suggestion.outputs.suggestion }}
420+ > If you want to ignore these leaked secrets, add the above **fingerprint** content to a file named `.infisicalignore` at the repository root level.
386421
387422name : Update PR with comment (tool failure)
388423 uses : mshick/add-pr-comment@v3
0 commit comments