fix(trufflehog): scope merge_group scans to diff like pull_request (#141)

* fix(trufflehog): scope merge_group scans to diff like pull_request

Merge queue runs use github.event_name merge_group, which previously fell
through to trufflehog filesystem . and scanned the entire repo. Fetch
merge_group base/head SHAs and git diff --name-only to match PR behavior.

Author: isaiah-grafana

.github/workflows/reusable-trufflehog.yml

@@ -43,9 +43,19 @@ jobs:
           fetch-depth: 1
           persist-credentials: true
 
-      - name: Fetch base and head commits
+      - name: Fetch base and head commits (pull_request)
         if: github.event_name == 'pull_request'
-        run: git fetch --depth=1 origin ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }}
+        env:
+          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: git fetch --depth=1 origin "$PR_BASE_SHA" "$PR_HEAD_SHA"
+
+      - name: Fetch base and head commits (merge_group)
+        if: github.event_name == 'merge_group'
+        env:
+          MERGE_GROUP_BASE_SHA: ${{ github.event.merge_group.base_sha }}
+          MERGE_GROUP_HEAD_SHA: ${{ github.event.merge_group.head_sha }}
+        run: git fetch --depth=1 origin "$MERGE_GROUP_BASE_SHA" "$MERGE_GROUP_HEAD_SHA"
 
       - name: Remove persisted credentials
         run: git config --unset-all http.https://github.com/.extraheader
@@ -93,14 +103,24 @@ jobs:
 
       - name: Scan for secrets
         id: scan
+        env:
+          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          MERGE_GROUP_BASE_SHA: ${{ github.event.merge_group.base_sha }}
+          MERGE_GROUP_HEAD_SHA: ${{ github.event.merge_group.head_sha }}
         run: |
           set +e
           echo "[]" > results.json
 
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            # PR: Scan only changed files (using two-dot diff with explicit base SHA)
-            echo "Scanning changed files in PR..."
-            git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }} > changed-files.txt
+          if [[ "${{ github.event_name }}" == "pull_request" ]] || [[ "${{ github.event_name }}" == "merge_group" ]]; then
+            # PR / merge queue: scan only paths that differ from base..head (not the entire checkout)
+            if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+              echo "Scanning changed files in PR..."
+              git diff --name-only "$PR_BASE_SHA" "$PR_HEAD_SHA" > changed-files.txt
+            else
+              echo "Scanning changed files in merge group..."
+              git diff --name-only "$MERGE_GROUP_BASE_SHA" "$MERGE_GROUP_HEAD_SHA" > changed-files.txt
+            fi
 
             if [[ -s changed-files.txt ]]; then
               while IFS= read -r file; do
@@ -124,7 +144,7 @@ jobs:
               echo "No files changed"
             fi
           else
-            # Push to main: Scan current filesystem
+            # push to main (and any other events): full filesystem scan
             echo "Scanning current filesystem..."
             trufflehog filesystem . --exclude-paths /tmp/trufflehog-exclude.txt --concurrency 16 --json --no-update --results=verified,unverified > results.ndjson || true
           fi