feat(secret): implement streaming secret scanner with byte offset tracking (#9264)

Co-authored-by: knqyf263 <knqyf263@users.noreply.github.com>
2026-01-31 13:53:14 +08:00 · 2025-08-01 12:17:54 +04:00
parent 1473e88b74
commit 5a5e0972c7
16 changed files with 955 additions and 200 deletions
--- a/rpc/cache/service.twirp.go
+++ b/rpc/cache/service.twirp.go
@@ -1,4 +1,4 @@
-// Code generated by protoc-gen-twirp v8.1.0, DO NOT EDIT.
+// Code generated by protoc-gen-twirp v8.1.3, DO NOT EDIT.
 // source: rpc/cache/service.proto

 package cache
@@ -6,7 +6,7 @@ package cache
 import context "context"
 import fmt "fmt"
 import http "net/http"
-import ioutil "io/ioutil"
+import io "io"
 import json "encoding/json"
 import strconv "strconv"
 import strings "strings"
@@ -20,7 +20,6 @@ import google_protobuf "google.golang.org/protobuf/types/known/emptypb"

 import bytes "bytes"
 import errors "errors"
-import io "io"
 import path "path"
 import url "net/url"

@@ -67,7 +66,7 @@ func NewCacheProtobufClient(baseURL string, client HTTPClient, opts ...twirp.Cli
 		o(&clientOpts)
 	}

-	// Using ReadOpt allows backwards and forwads compatibility with new options in the future
+	// Using ReadOpt allows backwards and forwards compatibility with new options in the future
 	literalURLs := false
 	_ = clientOpts.ReadOpt("literalURLs", &literalURLs)
 	var pathPrefix string
@@ -300,7 +299,7 @@ func NewCacheJSONClient(baseURL string, client HTTPClient, opts ...twirp.ClientO
 		o(&clientOpts)
 	}

-	// Using ReadOpt allows backwards and forwads compatibility with new options in the future
+	// Using ReadOpt allows backwards and forwards compatibility with new options in the future
 	literalURLs := false
 	_ = clientOpts.ReadOpt("literalURLs", &literalURLs)
 	var pathPrefix string
@@ -529,7 +528,7 @@ type cacheServer struct {
 func NewCacheServer(svc Cache, opts ...interface{}) TwirpServer {
 	serverOpts := newServerOpts(opts)

-	// Using ReadOpt allows backwards and forwads compatibility with new options in the future
+	// Using ReadOpt allows backwards and forwards compatibility with new options in the future
 	jsonSkipDefaults := false
 	_ = serverOpts.ReadOpt("jsonSkipDefaults", &jsonSkipDefaults)
 	jsonCamelCase := false
@@ -736,7 +735,7 @@ func (s *cacheServer) servePutArtifactProtobuf(ctx context.Context, resp http.Re
 		return
 	}

-	buf, err := ioutil.ReadAll(req.Body)
+	buf, err := io.ReadAll(req.Body)
 	if err != nil {
 		s.handleRequestBodyError(ctx, resp, "failed to read request body", err)
 		return
@@ -916,7 +915,7 @@ func (s *cacheServer) servePutBlobProtobuf(ctx context.Context, resp http.Respon
 		return
 	}

-	buf, err := ioutil.ReadAll(req.Body)
+	buf, err := io.ReadAll(req.Body)
 	if err != nil {
 		s.handleRequestBodyError(ctx, resp, "failed to read request body", err)
 		return
@@ -1096,7 +1095,7 @@ func (s *cacheServer) serveMissingBlobsProtobuf(ctx context.Context, resp http.R
 		return
 	}

-	buf, err := ioutil.ReadAll(req.Body)
+	buf, err := io.ReadAll(req.Body)
 	if err != nil {
 		s.handleRequestBodyError(ctx, resp, "failed to read request body", err)
 		return
@@ -1276,7 +1275,7 @@ func (s *cacheServer) serveDeleteBlobsProtobuf(ctx context.Context, resp http.Re
 		return
 	}

-	buf, err := ioutil.ReadAll(req.Body)
+	buf, err := io.ReadAll(req.Body)
 	if err != nil {
 		s.handleRequestBodyError(ctx, resp, "failed to read request body", err)
 		return
@@ -1351,7 +1350,7 @@ func (s *cacheServer) ServiceDescriptor() ([]byte, int) {
 }

 func (s *cacheServer) ProtocGenTwirpVersion() string {
-	return "v8.1.0"
+	return "v8.1.3"
 }

 // PathPrefix returns the base service path, in the form: "/<prefix>/<package>.<Service>/"
@@ -1470,7 +1469,7 @@ func writeError(ctx context.Context, resp http.ResponseWriter, err error, hooks
 }

 // sanitizeBaseURL parses the the baseURL, and adds the "http" scheme if needed.
-// If the URL is unparsable, the baseURL is returned unchaged.
+// If the URL is unparsable, the baseURL is returned unchanged.
 func sanitizeBaseURL(baseURL string) string {
 	u, err := url.Parse(baseURL)
 	if err != nil {
@@ -1544,7 +1543,7 @@ func newRequest(ctx context.Context, url string, reqBody io.Reader, contentType
 	}
 	req.Header.Set("Accept", contentType)
 	req.Header.Set("Content-Type", contentType)
-	req.Header.Set("Twirp-Version", "v8.1.0")
+	req.Header.Set("Twirp-Version", "v8.1.3")
 	return req, nil
 }

@@ -1595,7 +1594,7 @@ func errorFromResponse(resp *http.Response) twirp.Error {
 		return twirpErrorFromIntermediary(statusCode, msg, location)
 	}

-	respBodyBytes, err := ioutil.ReadAll(resp.Body)
+	respBodyBytes, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return wrapInternal(err, "failed to read server error response body")
 	}
@@ -1785,13 +1784,7 @@ func doProtobufRequest(ctx context.Context, client HTTPClient, hooks *twirp.Clie
 	if err != nil {
 		return ctx, wrapInternal(err, "failed to do request")
 	}
-
-	defer func() {
-		cerr := resp.Body.Close()
-		if err == nil && cerr != nil {
-			err = wrapInternal(cerr, "failed to close response body")
-		}
-	}()
+	defer func() { _ = resp.Body.Close() }()

 	if err = ctx.Err(); err != nil {
 		return ctx, wrapInternal(err, "aborted because context was done")
@@ -1801,7 +1794,7 @@ func doProtobufRequest(ctx context.Context, client HTTPClient, hooks *twirp.Clie
 		return ctx, errorFromResponse(resp)
 	}

-	respBodyBytes, err := ioutil.ReadAll(resp.Body)
+	respBodyBytes, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return ctx, wrapInternal(err, "failed to read response body")
 	}