Update action.yml

[guibranco]

📑 Description

Update action.yml

✅ Checks

• My pull request adheres to the code style of this project
• My code requires changes to the documentation
• I have updated the documentation as required
• All the tests have passed

☢️ Does this introduce a breaking change?

• Yes
• No

---

📑 Description

✅ Checks

• My pull request adheres to the code style of this project
• My code requires changes to the documentation
• I have updated the documentation as required
• All the tests have passed

☢️ Does this introduce a breaking change?

• Yes
• No

---

Summary by Sourcery

Add automatic PR review suggestions for updating .infisicalignore and adjust PR guidance on handling detected secrets.

New Features:

• Post a GitHub review comment suggesting updates to .infisicalignore when secrets are detected and comments are enabled.

Enhancements:

• Clarify PR comment instructions to manually add fingerprint content to a .infisicalignore file instead of embedding the generated suggestion output.

Summary by CodeRabbit

• New Features

  • GitHub Action now automatically posts review suggestions to pull requests when secrets are detected.

• Improvements

  • Updated PR comment instructions for addressing detected secrets, providing clearer guidance for users on securing their repository.

[sourcery-ai]

Reviewer's Guide

Extends the GitHub Action to automatically post a PR review suggestion with the proposed .infisicalignore contents when secrets are found, and clarifies follow‑up instructions in the success comment message.

Sequence diagram for GitHub Action posting .infisicalignore review suggestion

sequenceDiagram
  actor Developer
  participant GitHub
  participant GitHubAction as GitHub_Actions_Workflow
  participant ScanStep as Secret_Scan_Step
  participant ScriptStep as Create_Review_Suggestion_Step
  participant GitHubAPI as GitHub_REST_API

  Developer->>GitHub: Open_or_update_pull_request
  GitHub->>GitHubAction: Trigger_workflow_on_PR
  GitHubAction->>ScanStep: Run_secret_scan
  ScanStep-->>GitHubAction: SECRETS_FOUND=true, new-ignorefile.txt

  GitHubAction->>ScriptStep: Run_if(SECRETS_FOUND=true, FORKED=false, ADD_COMMENT=true)
  ScriptStep->>ScriptStep: Read_new-ignorefile.txt
  ScriptStep->>ScriptStep: Build_suggestionBlock_for_.infisicalignore
  ScriptStep->>GitHubAPI: pulls.createReview(COMMENT_with_suggestion)
  GitHubAPI-->>ScriptStep: Review_comment_created
  ScriptStep-->>GitHubAction: Success

  GitHubAction-->>Developer: PR_shows_review_suggestion_for_.infisicalignore

Loading

File-Level Changes

Change	Details	Files
Add a github-script step that posts a review suggestion containing the generated .infisicalignore contents directly to the pull request when secrets are detected.	Insert a new job step that uses actions/github-script@v7, gated on secrets being found, the repo not being a fork, and PR comments being enabled. Read the generated ignorefile content from new-ignorefile.txt within the script using Node's fs module. Format the file contents as a GitHub review suggestion block targeting .infisicalignore. Retrieve the current pull request from the GitHub Actions context and exit gracefully if the workflow is not running on a PR event. Call github.rest.pulls.createReview to submit a COMMENT review on the PR containing the formatted suggestion and a short explanatory heading. Log a success message after posting the review suggestion.	action.yml
Update the success PR comment guidance to instruct users to manually create or update .infisicalignore instead of inlining the suggestion output.	Replace the previous inline output of the ignore suggestion with a static explanation of how to use the fingerprint content. Clarify that users should add the fingerprint content to a .infisicalignore file at the repository root to ignore leaked secrets.	action.yml

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#163	Post the .infisicalignore suggestion as a pull request review (instead of a normal PR comment) so that GitHub renders a commit suggestion button for updating .infisicalignore.	✅
#163	Ensure the workflow avoids duplicate suggestions on re-runs and prevents duplicate fingerprints from being proposed or written to .infisicalignore.	❌	The new step unconditionally creates a new pull request review with the suggestion content on each run and does not include any logic to detect or skip previously posted suggestions. There is also no visible change related to deduplicating fingerprints beyond existing behavior.
#163	Update documentation to reflect the new review-based suggestion behavior for .infisicalignore.	❌	The PR only modifies action.yml and does not include any documentation changes.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Walkthrough

The action.yml file was updated to add a new composite step that creates and posts a GitHub review suggestion for the .infisicalignore file when secrets are detected. The PR comment content was simplified to direct users to add content to .infisicalignore at repository root instead of including an inline suggestion block.

Changes

Cohort / File(s)	Summary
GitHub Action Workflow Configuration action.yml	Added composite step to generate and post GitHub review suggestion for .infisicalignore when secrets are found (conditioned on SECRETS_FOUND, FORKED, and inputs.ADD_COMMENT flags). Updated PR comment to reference fingerprint content and guide users to .infisicalignore location.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A bunny hops through workflows, hopping with glee,
Adding suggestions to secrets—what a sight to see!
.infisicalignore blooms where the fingerprints land,
GitHub reviews flourish across the GitHub-lands!
Comments now cleaner, the guidance refined,
A rabbit's best work leaves no secrets behind! 🔐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Update action.yml' is generic and vague, failing to convey what specific aspect of action.yml was changed or why.	Revise the title to be more specific, such as 'Add review suggestion step for .infisicalignore file' or 'Fix suggestion block rendering in PR comments for .infisicalignore'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/163-bug-suggestion-block-for-infisicalignore-not-rendering-commit-suggestion-button-in-pr-comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[deepsource-io]

DeepSource Code Review

We reviewed changes in f2a779b...3333cc5 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
Secrets		Apr 13, 2026 10:54a.m.	Review ↗

---

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

[penify-dev]

Failed to generate code suggestions for PR

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• In the github-script step that creates the review suggestion, consider wrapping the fs.readFileSync('new-ignorefile.txt', 'utf8') call in a try/catch and logging a clear message so the workflow fails gracefully if the file is missing or empty rather than hard-failing the job.
• The updated PR comment text now only references adding fingerprint content to .infisicalignore but no longer inlines the suggestion output; if the intent is for users to easily copy-paste, you might want to either keep the rendered suggestion in the comment or explicitly point them to the new review suggestion instead.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In the `github-script` step that creates the review suggestion, consider wrapping the `fs.readFileSync('new-ignorefile.txt', 'utf8')` call in a try/catch and logging a clear message so the workflow fails gracefully if the file is missing or empty rather than hard-failing the job.
- The updated PR comment text now only references adding fingerprint content to `.infisicalignore` but no longer inlines the suggestion output; if the intent is for users to easily copy-paste, you might want to either keep the rendered suggestion in the comment or explicitly point them to the new review suggestion instead.

## Individual Comments

### Comment 1
<location path="action.yml" line_range="330-331" />
<code_context>
+          const suggestion =
+            fs.readFileSync('new-ignorefile.txt', 'utf8');
+
+          const suggestionBlock =
+            "```suggestion:.infisicalignore\n" +
+            suggestion +
+            "\n```";
</code_context>
<issue_to_address>
**issue:** GitHub suggestion code block syntax is likely incorrect with the `:.infisicalignore` suffix.

GitHub suggestions should use ```suggestion (optionally with a language), not `suggestion:.filename`. Using "```suggestion\n" will make this render as an inline suggestion instead of a plain fenced code block.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue: GitHub suggestion code block syntax is likely incorrect with the :.infisicalignore suffix.

GitHub suggestions should use suggestion (optionally with a language), not `suggestion:.filename`. Using "suggestion\n" will make this render as an inline suggestion instead of a plain fenced code block.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[guibranco]

Infisical secrets check: ✅ No secrets leaked!

💻 Scan logs

2026-04-13T10:55:35Z INF scanning for exposed secrets...
10:55AM INF 145 commits scanned.
2026-04-13T10:55:35Z INF scan completed in 25ms
2026-04-13T10:55:35Z INF no leaks found