diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
new file mode 100644
index 0000000..245cda7
--- /dev/null
+++ b/.github/workflows/secret-scan.yml
@@ -0,0 +1,25 @@
+name: Secret scan
+
+# Calls the canonical reusable workflow in molecule-monorepo. Defense
+# against the #2090-class leak (a hosted-agent commit slipping a
+# credential-shaped string into a PR). One source of truth for the
+# pattern set; this file just enrolls the repo.
+#
+# Higher stakes here than most repos: this package publishes to PyPI,
+# so a leaked credential in a release tag would propagate to every
+# downstream tenant on next pip install.
+#
+# To update the regex set, edit
+# Molecule-AI/molecule-monorepo/.github/workflows/secret-scan.yml.
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches: [main, staging]
+  merge_group:
+    types: [checks_requested]
+
+jobs:
+  secret-scan:
+    uses: Molecule-AI/molecule-monorepo/.github/workflows/secret-scan.yml@main