chore(ci): enroll in org-wide secret-scan reusable workflow

Calls the canonical workflow shipped in Molecule-AI/molecule-monorepo#2109. Defense against the #2090-class leak: a hosted-agent commit slipping a credential-shaped string into a PR — caught at the PR layer, before merge. Higher stakes here than most repos: this package publishes to PyPI, so a leaked credential on a release tag would propagate to every downstream tenant on next pip install. Pattern set lives in molecule-monorepo so we don't maintain a parallel copy here. Pairs with the runtime-side pre-commit hook (scripts/pre-commit-checks.sh) which catches local commits before they reach a PR. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 15:14:17 -07:00 · 2026-04-26 15:14:17 -07:00 · 0b11d669b5
commit 0b11d669b5
parent 01b818d1c8
1 changed files with 25 additions and 0 deletions
--- a/.github/workflows/secret-scan.yml
+++ b/.github/workflows/secret-scan.yml
@ -0,0 +1,25 @@
+name: Secret scan
+
+# Calls the canonical reusable workflow in molecule-monorepo. Defense
+# against the #2090-class leak (a hosted-agent commit slipping a
+# credential-shaped string into a PR). One source of truth for the
+# pattern set; this file just enrolls the repo.
+#
+# Higher stakes here than most repos: this package publishes to PyPI,
+# so a leaked credential in a release tag would propagate to every
+# downstream tenant on next pip install.
+#
+# To update the regex set, edit
+# Molecule-AI/molecule-monorepo/.github/workflows/secret-scan.yml.
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches: [main, staging]
+  merge_group:
+    types: [checks_requested]
+
+jobs:
+  secret-scan:
+    uses: Molecule-AI/molecule-monorepo/.github/workflows/secret-scan.yml@main