Add PR Code Security Workflow

[luiz1361]

Summary

Adds a GitHub Actions workflow that runs on every pull request targeting the default branch:

• Secret Detection - reusable workflow from prisma/.github
• Code Scanning - reusable workflow from prisma/.github

Both workflows are maintained centrally in prisma/.github and invoked via uses: with secrets: inherit.

Why

Ensures all PRs are scanned for leaked secrets and code security issues before merge.

Summary by CodeRabbit

• Chores
  • Added automated workflow checks that run on pull requests targeting the development branch.
  • Introduced secret-detection and code-scanning jobs to improve security and static analysis during PRs.

[coderabbitai]

Walkthrough

Adds a new GitHub Actions workflow that triggers on pull_request events targeting the dev branch and runs secret-detection and code-scanning jobs using shared workflow definitions from the prisma repository.

Changes

Cohort / File(s)	Summary
GitHub Actions Security Workflow .github/workflows/pr-code-security.yml	Adds a workflow that triggers on pull_request to the dev branch and defines two jobs: secret-detection (calls prisma/.github/.github/workflows/secret_detection.yml@main with secrets inherited) and code-scanning (calls prisma/.github/.github/workflows/code_scanning.yml@main).

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add PR Code Security Workflow' accurately and concisely describes the main change—adding a new GitHub Actions workflow file for PR code security checks.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch infra/add-pr-code-security-20260306122951

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5b27606b-a498-4855-a89d-263649548ec6

📥 Commits

Reviewing files that changed from the base of the PR and between eeef701 and 1e335e4.

📒 Files selected for processing (1)

• .github/workflows/pr-code-security.yml

[coderabbitai]

♻️ Duplicate comments (2)

.github/workflows/pr-code-security.yml (2)

10-10: ⚠️ Potential issue | 🟠 Major

Pin reusable workflow to a specific commit SHA.

Referencing @main exposes this workflow to supply chain attacks—if the upstream repository is compromised, malicious code could execute in your CI. Pin to a specific commit SHA instead.

🔒 Example fix

-    uses: prisma/.github/.github/workflows/secret_detection.yml@main
+    uses: prisma/.github/.github/workflows/secret_detection.yml@<commit-sha>

Replace <commit-sha> with the actual SHA of the trusted commit.
,

---

12-14: ⚠️ Potential issue | 🟠 Major

Missing secrets: inherit and should pin to commit SHA.

1. The PR description states both jobs use secrets: inherit, but this job is missing it. If the code-scanning workflow requires secrets (e.g., for SARIF upload), it will fail.
2. Pin to a commit SHA instead of @main (same supply chain concern as secret-detection job).

🛠️ Proposed fix

   code-scanning:
     name: Code Scanning
-    uses: prisma/.github/.github/workflows/code_scanning.yml@main
+    uses: prisma/.github/.github/workflows/code_scanning.yml@<commit-sha>
+    secrets: inherit

,

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d111fc2e-b16f-46e3-944a-0659005f6d86

📥 Commits

Reviewing files that changed from the base of the PR and between 1e335e4 and 25cae48.

📒 Files selected for processing (1)

• .github/workflows/pr-code-security.yml