fix: trufflehog (#1211)

Author: mfranzke

.github/workflows/00-scan-secrets.yml

@@ -16,13 +16,16 @@ jobs:
         uses: ./.github/actions/extract-branch
         id: extract_branch
 
+      # https://github.com/marketplace/actions/trufflehog-oss#advanced-usage-scan-entire-branch
       - name: 🐷 TruffleHog OSS
         uses: trufflesecurity/trufflehog@main
         if: ${{ github.event.pull_request != null }} # only scan on pull-requests
         with:
-          path: ./
-          base: ${{ steps.extract_branch.outputs.branch-name }}
-          head: HEAD
+          # Setting base to an empty string scans the entire branch, per TruffleHog OSS advanced usage:
+          # https://github.com/marketplace/actions/trufflehog-oss#advanced-usage-scan-entire-branch
+          base: ""
+          head: ${{ github.ref_name }}
+          extra_args: --results=verified,unknown
 
       - name: 💀 Killing me softly
         uses: ./.github/actions/cancel-workflow