Merge branch 'main' into semgrep

Author: eloymg

.github/workflows/reusable-trufflehog.yml

@@ -332,6 +332,10 @@ jobs:
             fi
           } > trufflehog_scan.txt
 
+      - name: Copy exclude file into workspace for artifact upload
+        if: always()
+        run: cp /tmp/trufflehog-exclude.txt trufflehog-exclude.txt 2>/dev/null || true
+
       - name: Upload scan results
         uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         if: always()
@@ -340,6 +344,7 @@ jobs:
           path: |
             trufflehog_scan.txt
             results.json
+            trufflehog-exclude.txt
           if-no-files-found: warn
           retention-days: 2
 
@@ -374,7 +379,7 @@ jobs:
       id-token: write
     steps:
       - name: Get Prometheus secrets from Vault
-        uses: grafana/shared-workflows/actions/get-vault-secrets@078c4a8af09e06d646077550f9e0f68171d5881e # get-vault-secrets/v1.3.1
+        uses: grafana/shared-workflows/actions/get-vault-secrets@f1614b210386ac420af6807a997ac7f6d96e477a # get-vault-secrets/v1.3.1
         with:
           common_secrets: |
             PROMETHEUS_URL=grafana-bench:prometheus_url
@@ -396,17 +401,23 @@ jobs:
             echo "::error::PROMETHEUS_URL not set; Vault step may have failed."
             exit 1
           fi
-          if ! docker pull ghcr.io/grafana/grafana-bench:v1.0.4; then
+          if ! docker pull ghcr.io/grafana/grafana-bench:v1.0.9; then
             echo "Could not pull Bench image; skipping bench step."
             exit 0
           fi
+
+          EXCLUDE_FLAG=""
+          if [[ -f "trufflehog-exclude.txt" ]]; then
+            EXCLUDE_FLAG="--trufflehog-exclude-file /tests/trufflehog-exclude.txt"
+          fi
+
           docker run --rm \
             --network=host \
             --volume="${PWD}:/tests/" \
             -e PROMETHEUS_URL="${PROMETHEUS_URL}" \
             -e PROMETHEUS_USER="${PROMETHEUS_USER}" \
             -e PROMETHEUS_PASSWORD="${PROMETHEUS_PASSWORD}" \
-            ghcr.io/grafana/grafana-bench:v1.0.4 report \
+            ghcr.io/grafana/grafana-bench:v1.0.9 report \
             --report-input trufflehog \
             --service "${BENCH_SERVICE}" \
             --service-version "${BENCH_SERVICE_VERSION}" \
@@ -415,4 +426,5 @@ jobs:
             --report-output log \
             --log-level debug \
             --prometheus-metrics \
+            ${EXCLUDE_FLAG} \
             /tests/results.json

.github/workflows/self-zizmor.yaml

@@ -45,7 +45,7 @@ jobs:
       - zizmor-check
     if: ${{ needs.zizmor-check.outputs.found-files == 'true' }}
 
-    uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@e7a3275d4c4978a3514801ec55708f1c599a6906
+    uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@9099825d5ef82fa57e0cf6a263477bc926f51bfa
     with:
       runs-on: ${{ !github.event.repository.private && 'ubuntu-latest' || 'ubuntu-arm64-small' }}
       fail-severity: high