From 0b27e59ac567335713d6593f548e99c31afccc05 Mon Sep 17 00:00:00 2001 From: Abdelrahman Abdelrahman Date: Tue, 6 Jan 2026 10:44:23 +0000 Subject: [PATCH 1/2] Use triple dot to get PR diff changes It was incorrectly assumed that `git diff A..B` would behave similarly to `git log A..B`, but that is not the case. Counterintuitively, it behaves like `git log A...B`, getting changes from the main branch as well, which is not what we want. The correct command is `git diff A...B`. This behaves like `git log A..B` as expected. See https://stackoverflow.com/questions/7251477/what-are-the-differences-between-double-dot-and-triple-dot-in-git-dif/46345364#46345364 --- tools/@aws-cdk/security-guardian/src/get-changed-files.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/@aws-cdk/security-guardian/src/get-changed-files.ts b/tools/@aws-cdk/security-guardian/src/get-changed-files.ts index 8222098669757..9a40c933b8cbc 100644 --- a/tools/@aws-cdk/security-guardian/src/get-changed-files.ts +++ b/tools/@aws-cdk/security-guardian/src/get-changed-files.ts @@ -7,7 +7,7 @@ export async function detectChangedTemplates(baseSha: string, headSha: string, w core.info(`Detecting changed .template.json files from ${baseSha} to ${headSha}`); let stdout = ''; - await exec.exec('git', ['diff', '--name-status', `${baseSha}..${headSha}`], { + await exec.exec('git', ['diff', '--name-status', `${baseSha}...${headSha}`], { listeners: { stdout: (data: Buffer) => { stdout += data.toString(); From 1dbf046a625d2f9441df078d12148848f7a33bca Mon Sep 17 00:00:00 2001 From: Pratik kumar Date: Tue, 20 Jan 2026 13:21:32 +0100 Subject: [PATCH 2/2] chore: fix a test mock to use 3 dots instead of 2 dots --- .../@aws-cdk/security-guardian/test/get-changed-files.test.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/@aws-cdk/security-guardian/test/get-changed-files.test.ts b/tools/@aws-cdk/security-guardian/test/get-changed-files.test.ts index 2bd07e5cc9fed..d1b45701126ac 100644 --- a/tools/@aws-cdk/security-guardian/test/get-changed-files.test.ts +++ b/tools/@aws-cdk/security-guardian/test/get-changed-files.test.ts @@ -43,7 +43,7 @@ describe('Changed Files Detection', () => { const verifyGitCommands = () => { expect(mockExec.exec).toHaveBeenCalledWith( 'git', - ['diff', '--name-status', 'main..HEAD'], + ['diff', '--name-status', 'main...HEAD'], expect.any(Object) ); expect(mockExec.getExecOutput).toHaveBeenCalledWith( @@ -122,4 +122,4 @@ describe('Changed Files Detection', () => { expect(mappedFiles).not.toContain('file3.js'); }); }); -}); \ No newline at end of file +});