name: Secret scan

# Calls the canonical reusable workflow in molecule-core. Defense
# against the #2090-class leak (a hosted-agent commit slipping a
# credential-shaped string into a PR). Pattern set lives in
# molecule-core so we don't maintain a parallel copy here.
#
# Pinned to @staging because that's the active default branch on the
# upstream repo (main lags behind via the staging-promotion workflow).
# Updates ride along automatically as the upstream regex set evolves.

on:
  pull_request:
    types: [opened, synchronize, reopened]
  push:
    branches: [main, staging]
  merge_group:
    types: [checks_requested]

jobs:
  secret-scan:
    uses: Molecule-AI/molecule-core/.github/workflows/secret-scan.yml@staging