Address PR #111 round 7: verify origin ref exists, fix submit-pr secret leak

igerber · claude · igerber · commit d5b7890beba5 · 2026-01-25T17:39:04.000-05:00
- push-pr-update: Add fallback to fetch origin/&lt;default-branch&gt; when
  neither local nor remote ref exists in single-branch clones
- submit-pr: Switch secret scan from piping diff content to using
  -G with --name-only to prevent secrets from appearing in logs

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.claude/commands/push-pr-update.md b/.claude/commands/push-pr-update.md
@@ -60,9 +60,10 @@ Parse `$ARGUMENTS` to extract:
        git rev-parse --abbrev-ref @{u} 2>/dev/null
        ```
      - If NO upstream exists:
-       - Determine comparison ref (handles shallow clones where local branch may not exist):
+       - Determine comparison ref (handles shallow/single-branch clones):
          - If `<default-branch>` exists locally (`git rev-parse --verify <default-branch> 2>/dev/null`): use `<default-branch>`
-         - Otherwise: use `origin/<default-branch>`
+         - Else if `origin/<default-branch>` exists (`git rev-parse --verify origin/<default-branch> 2>/dev/null`): use `origin/<default-branch>`
+         - Else: fetch it first (`git fetch origin <default-branch> --depth=1 2>/dev/null || true`), then use `origin/<default-branch>`
          - Store as `<comparison-ref>`
        - Check if branch has commits ahead: `git rev-list --count <comparison-ref>..HEAD 2>/dev/null || echo "0"`
        - If ahead count > 0:
diff --git a/.claude/commands/submit-pr.md b/.claude/commands/submit-pr.md
@@ -134,10 +134,11 @@ Determine if this is a fork-based workflow:
    ```
 
 2. **Secret scanning check** (AFTER staging to catch all files):
-   - **Run deterministic pattern check** (case-insensitive with expanded patterns):
+   - **Run deterministic pattern check** (file names only, no content leaked):
      ```bash
-     git diff --cached | grep -iE "(AKIA[A-Z0-9]{16}|ghp_[a-zA-Z0-9]{36}|sk-[a-zA-Z0-9]{48}|gho_[a-zA-Z0-9]{36}|api[_-]?key[[:space:]]*[=:]|secret[_-]?key[[:space:]]*[=:]|password[[:space:]]*[=:]|private[_-]?key|bearer[[:space:]]+[a-zA-Z0-9_-]+|token[[:space:]]*[=:])" || true
+     secret_files=$(git diff --cached -G "(AKIA[A-Z0-9]{16}|ghp_[a-zA-Z0-9]{36}|sk-[a-zA-Z0-9]{48}|gho_[a-zA-Z0-9]{36}|[Aa][Pp][Ii][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Ss][Ee][Cc][Rr][Ee][Tt][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd][[:space:]]*[=:]|[Pp][Rr][Ii][Vv][Aa][Tt][Ee][_-]?[Kk][Ee][Yy]|[Bb][Ee][Aa][Rr][Ee][Rr][[:space:]]+[a-zA-Z0-9_-]+|[Tt][Oo][Kk][Ee][Nn][[:space:]]*[=:])" --name-only 2>/dev/null || true)
      ```
+     Note: Uses `-G` to search diff content but `--name-only` to output only file names, preventing secret values from appearing in logs. The `|| true` prevents exit status 1 when patterns match from aborting strict runners.
    - **Check for sensitive file names** (case-insensitive):
      ```bash
      git diff --cached --name-only | grep -iE "(\.env|credentials|secret|\.pem|\.key|\.p12|\.pfx|id_rsa|id_ed25519)$" || true
@@ -151,7 +152,7 @@ Determine if this is a fork-based workflow:
      ```bash
      git diff --cached --name-only --diff-filter=A
      ```
-   - If pattern check returns matches or sensitive files detected, **unstage and warn**:
+   - **If patterns detected** (i.e., `secret_files` or sensitive file names non-empty), **unstage and warn**:
      ```bash
      git reset HEAD  # Unstage all files
      ```
