Lint

Update Cloudflare detectors for 2026+ prefixed credential formats #13160

	name: Lint

	on:
	push:
	tags:
	- v*
	pull_request:

	permissions:
	contents: read
	pull-requests: read

	jobs:
	golangci-lint:
	name: golangci-lint
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-go@v5
	with:
	go-version: "1.25"
	- name: golangci-lint
	uses: golangci/golangci-lint-action@v7
	with:
	# NOTE: Version and args must match scripts/lint.sh
	version: v2.11.4
	args: --disable errcheck,staticcheck --enable bodyclose,copyloopvar,misspell --timeout 10m
	man-page-staleness:
	name: man-page-staleness
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-go@v5
	with:
	go-version: "1.25"
	- name: Regenerate man page
	run: make man
	- name: Check for staleness
	run: \|
	if ! git diff --exit-code docs/man/trufflehog.1; then
	echo "::error::docs/man/trufflehog.1 is stale. Run 'make man' and commit the result."
	exit 1
	fi
	semgrep:
	name: semgrep
	runs-on: ubuntu-latest
	container:
	image: returntocorp/semgrep
	if: (github.actor != 'dependabot[bot]')
	steps:
	- uses: actions/checkout@v4
	- run: semgrep --config=hack/semgrep-rules/detectors.yaml pkg/detectors/
	checksecretparts:
	# Reports detector packages that construct detectors.Result without
	# populating SecretParts. See hack/checksecretparts/README.md.
	name: checksecretparts
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-go@v5
	with:
	go-version: "1.25"
	- name: Run checksecretparts
	run: go run ./hack/checksecretparts -fail ./pkg/detectors

Provide feedback