perf(trufflehog): batch PR changed-path scans

isaiah-grafana · isaiah-grafana · commit f2f56c594753 · 2026-04-14T23:12:25.000-04:00
Feed filtered paths through GNU xargs -0 so a typical PR runs one
TruffleHog process (avoids per-file startup) while argv stays under OS
limits on very large diffs. Paths are still filtered for excludes and
missing files (e.g. deletions in the diff).
diff --git a/.github/workflows/reusable-trufflehog.yml b/.github/workflows/reusable-trufflehog.yml
@@ -147,17 +147,31 @@ jobs:
             fi
 
             if [[ -s changed-files.txt ]]; then
+              # One TruffleHog per argv batch (not per file): avoids repeated process startup on
+              # large diffs; GNU xargs -0 splits when argv would exceed OS limits.
+              paths=()
               while IFS= read -r file; do
                 if [[ -s /tmp/exclude-regexes.txt ]] && echo "$file" | grep -qEf /tmp/exclude-regexes.txt 2>/dev/null; then
                   echo "Skipping: ${file} (matches exclude pattern)"
                   continue
                 fi
-
                 if [[ -f "${file}" ]]; then
-                  echo "Scanning: ${file}"
-                  trufflehog filesystem "${file}" --exclude-paths /tmp/trufflehog-exclude.txt --concurrency 16 --json --no-update --results=verified,unverified >> results.ndjson || true
+                  paths+=("${file}")
                 fi
               done < changed-files.txt
+
+              if ((${#paths[@]} > 0)); then
+                echo "TruffleHog: ${#paths[@]} path(s), batched by xargs as needed"
+                : > results.ndjson
+                printf '%s\0' "${paths[@]}" | xargs -0 -r trufflehog filesystem \
+                  --exclude-paths /tmp/trufflehog-exclude.txt \
+                  --concurrency 16 \
+                  --json \
+                  --no-update \
+                  --results=verified,unverified >> results.ndjson || true
+              else
+                echo "No files to scan after excludes (only deletions or excluded paths)"
+              fi
             else
               echo "No files changed"
             fi
@@ -379,7 +393,7 @@ jobs:
       id-token: write
     steps:
       - name: Get Prometheus secrets from Vault
-        uses: grafana/shared-workflows/actions/get-vault-secrets@f1614b210386ac420af6807a997ac7f6d96e477a # get-vault-secrets/v1.3.1
+        uses: grafana/shared-workflows/actions/get-vault-secrets@078c4a8af09e06d646077550f9e0f68171d5881e # get-vault-secrets/v1.3.1
         with:
           common_secrets: |
             PROMETHEUS_URL=grafana-bench:prometheus_url
