perf(trufflehog): single process for PR changed-file scan (#151)

* perf(trufflehog): batch PR changed-path scans

Feed filtered paths through GNU xargs -0 so a typical PR runs one
TruffleHog process (avoids per-file startup) while argv stays under OS
limits on very large diffs. Paths are still filtered for excludes and
missing files (e.g. deletions in the diff).

* perf(trufflehog): PR scan via --include-paths regex file

Use one trufflehog filesystem invocation over . with --include-paths
(anchored re.escape per path) to avoid argv limits; addresses review.

Revert get-vault-secrets action pin to match main (f1614b2).

Author: isaiah-grafana

.github/workflows/reusable-trufflehog.yml

@@ -147,17 +147,35 @@ jobs:
             fi
 
             if [[ -s changed-files.txt ]]; then
+              # One TruffleHog process over repo root; --include-paths file lists anchored regexes
+              # (TruffleHog expects regex lines, not raw paths — see trufflesecurity docs).
+              INCLUDE_REGEXES=/tmp/trufflehog-pr-include-regexes.txt
+              : > "${INCLUDE_REGEXES}"
               while IFS= read -r file; do
                 if [[ -s /tmp/exclude-regexes.txt ]] && echo "$file" | grep -qEf /tmp/exclude-regexes.txt 2>/dev/null; then
                   echo "Skipping: ${file} (matches exclude pattern)"
                   continue
                 fi
-
                 if [[ -f "${file}" ]]; then
-                  echo "Scanning: ${file}"
-                  trufflehog filesystem "${file}" --exclude-paths /tmp/trufflehog-exclude.txt --concurrency 16 --json --no-update --results=verified,unverified >> results.ndjson || true
+                  python3 -c 'import re, sys; print("^" + re.escape(sys.argv[1]) + "$")' "$file" >> "${INCLUDE_REGEXES}"
                 fi
               done < changed-files.txt
+
+              if [[ -s "${INCLUDE_REGEXES}" ]]; then
+                sort -u -o "${INCLUDE_REGEXES}" "${INCLUDE_REGEXES}"
+                n_inc=$(wc -l < "${INCLUDE_REGEXES}")
+                echo "TruffleHog: ${n_inc} path(s) via --include-paths (anchored regexes)"
+                : > results.ndjson
+                trufflehog filesystem . \
+                  --include-paths "${INCLUDE_REGEXES}" \
+                  --exclude-paths /tmp/trufflehog-exclude.txt \
+                  --concurrency 16 \
+                  --json \
+                  --no-update \
+                  --results=verified,unverified > results.ndjson || true
+              else
+                echo "No files to scan after excludes (only deletions or excluded paths)"
+              fi
             else
               echo "No files changed"
             fi