chore(trufflehog): update-excludes.sh + clearer prefixes.txt how-to

Made-with: Cursor

Author: isaiah-grafana

.github/workflows/reusable-trufflehog.yml

@@ -57,8 +57,7 @@ jobs:
           DEST=/tmp/trufflehog-exclude.txt
           REPO=grafana/security-github-actions
           REF=main
-          # Prefer trufflehog/global-exclude.txt on main. To change rules: edit trufflehog/prefixes.txt
-          # and/or trufflehog/build_exclude_file.py, then: python3 trufflehog/build_exclude_file.py > trufflehog/global-exclude.txt
+          # Exclusions: edit trufflehog/prefixes.txt, run ./trufflehog/update-excludes.sh, commit prefixes + global-exclude.txt
           RAW_BASE="https://raw.githubusercontent.com/grafana/security-github-actions/${REF}/trufflehog"
           RAW_URL="${RAW_BASE}/global-exclude.txt"
           RAW_BUILD="${RAW_BASE}/build_exclude_file.py"
@@ -84,8 +83,7 @@ jobs:
             echo "::warning::Could not fetch or rebuild TruffleHog excludes from ${REPO}@${REF}. Using last-resort bundled file — merge to main or fix token access."
             # Last resort only: must match stdout of python3 trufflehog/build_exclude_file.py (same commit).
             cat > "${DEST}" <<'EOF'
-          # Generated by trufflehog/build_exclude_file.py + trufflehog/prefixes.txt — do not edit by hand.
-          # Regenerate: python3 trufflehog/build_exclude_file.py > trufflehog/global-exclude.txt
+          # Generated — do not edit by hand. Edit trufflehog/prefixes.txt then run ./trufflehog/update-excludes.sh
           #
           # --- directory prefixes (from prefixes.txt) ---
           # prefix: vendor

trufflehog/build_exclude_file.py

@@ -1,14 +1,5 @@
 #!/usr/bin/env python3
-"""
-Emit TruffleHog --exclude-paths file content to stdout.
-
-Edit trufflehog/prefixes.txt, then:
-  python3 trufflehog/build_exclude_file.py > trufflehog/global-exclude.txt
-
-If you change STATIC_PATTERNS or prefix rules, refresh the last-resort heredoc in
-.github/workflows/reusable-trufflehog.yml to match this script's stdout (or rely on
-fetch / rebuild-from-prefixes paths in CI).
-"""
+"""Build TruffleHog exclude file. Prefer: ./trufflehog/update-excludes.sh from repo root."""
 
 from __future__ import annotations
 
@@ -53,8 +44,7 @@ def main() -> None:
 
     lines: list[str] = []
     lines.append(
-        "# Generated by trufflehog/build_exclude_file.py + trufflehog/prefixes.txt — do not edit by hand.\n"
-        "# Regenerate: python3 trufflehog/build_exclude_file.py > trufflehog/global-exclude.txt\n"
+        "# Generated — do not edit by hand. Edit trufflehog/prefixes.txt then run ./trufflehog/update-excludes.sh\n"
         "#\n"
     )
 

trufflehog/global-exclude.txt

@@ -1,5 +1,4 @@
-# Generated by trufflehog/build_exclude_file.py + trufflehog/prefixes.txt — do not edit by hand.
-# Regenerate: python3 trufflehog/build_exclude_file.py > trufflehog/global-exclude.txt
+# Generated — do not edit by hand. Edit trufflehog/prefixes.txt then run ./trufflehog/update-excludes.sh
 #
 # --- directory prefixes (from prefixes.txt) ---
 # prefix: vendor

trufflehog/prefixes.txt

@@ -1,5 +1,13 @@
-# One repo-relative directory prefix per line (forward slashes). No regex.
-# Regenerate: python3 trufflehog/build_exclude_file.py > trufflehog/global-exclude.txt
+# How to add a directory exclusion (no regex — one path per line):
+#
+#   1. Add a line below (repo-relative path, use /), e.g.  docs/imported
+#   2. From the repo root, run:  ./trufflehog/update-excludes.sh
+#   3. Commit and push BOTH:
+#        trufflehog/prefixes.txt
+#        trufflehog/global-exclude.txt
+#   4. Merge to main — consumer repos pick it up automatically.
+#
+# Lockfiles (go.sum, package.json, …) are listed in trufflehog/build_exclude_file.py if you need to change those.
 
 vendor
 content/grafana/dashboards

trufflehog/update-excludes.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+# Regenerates trufflehog/global-exclude.txt from prefixes.txt + build_exclude_file.py
+set -euo pipefail
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+python3 "${ROOT}/trufflehog/build_exclude_file.py" > "${ROOT}/trufflehog/global-exclude.txt"
+echo "Wrote ${ROOT}/trufflehog/global-exclude.txt"