Skip to content

Secret detection CI job fails on tag pipeline

Summary

The job secret_detection from template Secret-Detection.gitlab-ci.yml fails on pipelines for a tag.

This issue most likely doesn't happen unless users override the rules for running the pipeline (which we do quite often at GitLab e.g. gitlab-ui)

Steps to reproduce

  1. Include the Secret-Detection.gitlab-ci.yml template to your CI configuration 
    include:
  - template: Secret-Detection.gitlab-ci.yml
  2. Set the workflow rules to run all jobs on tags 
    workflow:
  rules:
     - if: $CI_COMMIT_TAG
  3. Override the default rules for secret_detection job 
    .secure-jobs-config: &secure-jobs-config
    needs: []
    rules:
        - when: on_success

secret_detection:
    <<: *secure-jobs-config
  4. Push a tag to the project, see the secret_detection fail with: 
    fatal: ambiguous argument 'refs/remotes/origin/main...refs/remotes/origin/v3.3.0': unknown revision or path not in the working tree.

Example Project

GitLab VS Code Extension

What is the current bug behavior?

The secret_detection job fails.

What is the expected correct behavior?

The secret_detection job succeeds.

Relevant logs and/or screenshots

The logs from CI:

$ git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_BUILD_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt
fatal: ambiguous argument 'refs/remotes/origin/main...refs/remotes/origin/v3.3.0': unknown revision or path not in the working tree.

The part of CI template causing the issue:

script:
    - git fetch origin $CI_DEFAULT_BRANCH $CI_BUILD_REF_NAME
    - git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_BUILD_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt

Possible fixes

The

git log refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_BUILD_REF_NAME

gets expanded to

git log refs/remotes/origin/main...refs/remotes/origin/v3.3.0

and the command fails with

fatal: ambiguous argument 'refs/remotes/origin/main...refs/remotes/origin/v3.3.0': unknown revision or path not in the working tree.

We could change the template to:

  script:
      - git fetch origin $CI_DEFAULT_BRANCH $CI_BUILD_REF_NAME
-     - git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_BUILD_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt
+     - git log --left-right --cherry-pick --pretty=format:"%H" $CI_DEFAULT_BRANCH...$CI_BUILD_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt

Or even better, we could set the rules so that secret_detection can't run for tags and secret_detection_default_branch will run for tags.

Edited by Tomas Vik (OOO back on 2026-01-05)