23 lines
728 B
YAML
23 lines
728 B
YAML
name: Secret scan
|
|
|
|
# Calls the canonical reusable workflow in molecule-core. Defense
|
|
# against the #2090-class leak (a hosted-agent commit slipping a
|
|
# credential-shaped string into a PR). Pattern set lives in
|
|
# molecule-core so we don't maintain a parallel copy here.
|
|
#
|
|
# Pinned to @staging because that's the active default branch on the
|
|
# upstream repo (main lags behind via the staging-promotion workflow).
|
|
# Updates ride along automatically as the upstream regex set evolves.
|
|
|
|
on:
|
|
pull_request:
|
|
types: [opened, synchronize, reopened]
|
|
push:
|
|
branches: [main, staging]
|
|
merge_group:
|
|
types: [checks_requested]
|
|
|
|
jobs:
|
|
secret-scan:
|
|
uses: Molecule-AI/molecule-core/.github/workflows/secret-scan.yml@staging
|