fix(trufflehog): fall back to workflow ref when fetching exclude patterns

isaiah-grafana · isaiah-grafana · commit 585248a29ab0 · 2026-04-06T23:09:11.000-05:00
The fetch step now tries main first, then the ref the calling workflow
was pinned to (e.g. feature/trufflehog-global-excludes). This lets
exclude patterns work during testing before the branch is merged.

Made-with: Cursor
diff --git a/.github/workflows/reusable-trufflehog.yml b/.github/workflows/reusable-trufflehog.yml
@@ -58,14 +58,28 @@ jobs:
           REPO=grafana/security-github-actions
           FILE_PATH=trufflehog/exclude-paths.txt
 
-          if gh api "repos/${REPO}/contents/${FILE_PATH}?ref=main" \
-              -H "Accept: application/vnd.github.v3.raw" -o "${DEST}" 2>/dev/null && [[ -s "${DEST}" ]]; then
-            echo "Loaded exclude patterns from ${REPO}@main (GitHub API)"
-          elif curl -fsSL "https://raw.githubusercontent.com/${REPO}/main/${FILE_PATH}" \
-              -o "${DEST}" 2>/dev/null && [[ -s "${DEST}" ]]; then
-            echo "Loaded exclude patterns from raw.githubusercontent.com"
-          else
-            echo "::warning::Could not fetch TruffleHog exclude patterns from ${REPO}. Scanning without exclusions."
+          # Resolve the ref the calling workflow used (e.g. @main, @feature/branch, @v1).
+          CALLER_REF="main"
+          if [[ -n "${{ github.workflow_ref }}" ]]; then
+            CALLER_REF=$(echo "${{ github.workflow_ref }}" | sed 's|.*@||; s|^refs/heads/||; s|^refs/tags/||')
+          fi
+
+          LOADED=false
+          for REF in main "${CALLER_REF}"; do
+            [[ "$LOADED" == "true" ]] && break
+            if gh api "repos/${REPO}/contents/${FILE_PATH}?ref=${REF}" \
+                -H "Accept: application/vnd.github.v3.raw" -o "${DEST}" 2>/dev/null && [[ -s "${DEST}" ]]; then
+              echo "Loaded exclude patterns from ${REPO}@${REF} (GitHub API)"
+              LOADED=true
+            elif curl -fsSL "https://raw.githubusercontent.com/${REPO}/${REF}/${FILE_PATH}" \
+                -o "${DEST}" 2>/dev/null && [[ -s "${DEST}" ]]; then
+              echo "Loaded exclude patterns from raw.githubusercontent.com@${REF}"
+              LOADED=true
+            fi
+          done
+
+          if [[ "$LOADED" != "true" ]]; then
+            echo "::warning::Could not fetch TruffleHog exclude patterns from ${REPO} (tried main and ${CALLER_REF}). Scanning without exclusions."
             touch "${DEST}"
           fi
 
