From 0b11d669b5fefb0d9d89c3b8f9569fc7d8247ee9 Mon Sep 17 00:00:00 2001 From: rabbitblood Date: Sun, 26 Apr 2026 15:14:17 -0700 Subject: [PATCH] chore(ci): enroll in org-wide secret-scan reusable workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Calls the canonical workflow shipped in Molecule-AI/molecule-monorepo#2109. Defense against the #2090-class leak: a hosted-agent commit slipping a credential-shaped string into a PR — caught at the PR layer, before merge. Higher stakes here than most repos: this package publishes to PyPI, so a leaked credential on a release tag would propagate to every downstream tenant on next pip install. Pattern set lives in molecule-monorepo so we don't maintain a parallel copy here. Pairs with the runtime-side pre-commit hook (scripts/pre-commit-checks.sh) which catches local commits before they reach a PR. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/secret-scan.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/secret-scan.yml diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml new file mode 100644 index 0000000..245cda7 --- /dev/null +++ b/.github/workflows/secret-scan.yml @@ -0,0 +1,25 @@ +name: Secret scan + +# Calls the canonical reusable workflow in molecule-monorepo. Defense +# against the #2090-class leak (a hosted-agent commit slipping a +# credential-shaped string into a PR). One source of truth for the +# pattern set; this file just enrolls the repo. +# +# Higher stakes here than most repos: this package publishes to PyPI, +# so a leaked credential in a release tag would propagate to every +# downstream tenant on next pip install. +# +# To update the regex set, edit +# Molecule-AI/molecule-monorepo/.github/workflows/secret-scan.yml. + +on: + pull_request: + types: [opened, synchronize, reopened] + push: + branches: [main, staging] + merge_group: + types: [checks_requested] + +jobs: + secret-scan: + uses: Molecule-AI/molecule-monorepo/.github/workflows/secret-scan.yml@main