fix(ci): use molecule-core@staging — repo was renamed from molecule-monorepo, workflow lives on staging

2026-04-26 15:44:29 -07:00 · 2026-04-26 15:44:29 -07:00 · d381f20779
commit d381f20779
parent 0b11d669b5
1 changed files with 7 additions and 3 deletions
--- a/.github/workflows/secret-scan.yml
+++ b/.github/workflows/secret-scan.yml
@ -1,6 +1,6 @@
 name: Secret scan

-# Calls the canonical reusable workflow in molecule-monorepo. Defense
+# Calls the canonical reusable workflow in molecule-core. Defense
 # against the #2090-class leak (a hosted-agent commit slipping a
 # credential-shaped string into a PR). One source of truth for the
 # pattern set; this file just enrolls the repo.
@ -9,8 +9,12 @@ name: Secret scan
 # so a leaked credential in a release tag would propagate to every
 # downstream tenant on next pip install.
 #
+# Pinned to @staging because that's the active default branch on the
+# upstream repo (main lags behind via the staging-promotion workflow).
+# Updates ride along automatically as the upstream regex set evolves.
+#
 # To update the regex set, edit
-# Molecule-AI/molecule-monorepo/.github/workflows/secret-scan.yml.
+# Molecule-AI/molecule-core/.github/workflows/secret-scan.yml.

 on:
  pull_request:
@ -22,4 +26,4 @@ on:

 jobs:
  secret-scan:
-    uses: Molecule-AI/molecule-monorepo/.github/workflows/secret-scan.yml@main
+    uses: Molecule-AI/molecule-core/.github/workflows/secret-scan.yml@staging