Pin DSPy dependency to version 2.6.27 to prevent compatibility issues with the Nova Prompt Optimizer SDK #29

	name: git-secrets-scan

	on:
	pull_request:
	types: [opened, synchronize, reopened]

	jobs:
	scan-for-secrets:
	runs-on: ubuntu-latest

	steps:
	- name: Checkout PR code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Install git-secrets
	run: \|
	git clone https://github.com/awslabs/git-secrets.git
	cd git-secrets
	sudo make install

	- name: Configure git-secrets
	run: \|
	git secrets --install
	git secrets --register-aws

	- name: Get base and head commit SHAs
	id: pr_info
	run: \|
	# Validate SHA format (40 hex characters)
	base_sha=$(jq -r .pull_request.base.sha $GITHUB_EVENT_PATH)
	head_sha=$(jq -r .pull_request.head.sha $GITHUB_EVENT_PATH)

	if [[ ! "$base_sha" =~ ^[a-f0-9]{40}$ ]]; then
	echo "::error::Invalid base SHA format: $base_sha"
	exit 1
	fi

	if [[ ! "$head_sha" =~ ^[a-f0-9]{40}$ ]]; then
	echo "::error::Invalid head SHA format: $head_sha"
	exit 1
	fi

	echo "base_sha=$base_sha" >> $GITHUB_OUTPUT
	echo "head_sha=$head_sha" >> $GITHUB_OUTPUT

	- name: Scan diff for secrets
	run: \|
	# Additional validation before git diff
	base_sha="${{ steps.pr_info.outputs.base_sha }}"
	head_sha="${{ steps.pr_info.outputs.head_sha }}"

	# Verify commits exist in repository
	if ! git cat-file -e "$base_sha" 2>/dev/null; then
	echo "::error::Base commit $base_sha not found"
	exit 1
	fi

	if ! git cat-file -e "$head_sha" 2>/dev/null; then
	echo "::error::Head commit $head_sha not found"
	exit 1
	fi

	# Scan with timeout protection
	timeout 300 git diff "$base_sha".."$head_sha" \| git secrets --scan - \|\| {
	echo "::error::git-secrets detected sensitive content in this PR."
	exit 1
	}

Provide feedback