From d381f207791838bf623931c421e9b789b76718ba Mon Sep 17 00:00:00 2001 From: rabbitblood Date: Sun, 26 Apr 2026 15:44:29 -0700 Subject: [PATCH] =?UTF-8?q?fix(ci):=20use=20molecule-core@staging=20?= =?UTF-8?q?=E2=80=94=20repo=20was=20renamed=20from=20molecule-monorepo,=20?= =?UTF-8?q?workflow=20lives=20on=20staging?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/secret-scan.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index 245cda7..4b8a022 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -1,6 +1,6 @@ name: Secret scan -# Calls the canonical reusable workflow in molecule-monorepo. Defense +# Calls the canonical reusable workflow in molecule-core. Defense # against the #2090-class leak (a hosted-agent commit slipping a # credential-shaped string into a PR). One source of truth for the # pattern set; this file just enrolls the repo. @@ -9,8 +9,12 @@ name: Secret scan # so a leaked credential in a release tag would propagate to every # downstream tenant on next pip install. # +# Pinned to @staging because that's the active default branch on the +# upstream repo (main lags behind via the staging-promotion workflow). +# Updates ride along automatically as the upstream regex set evolves. +# # To update the regex set, edit -# Molecule-AI/molecule-monorepo/.github/workflows/secret-scan.yml. +# Molecule-AI/molecule-core/.github/workflows/secret-scan.yml. on: pull_request: @@ -22,4 +26,4 @@ on: jobs: secret-scan: - uses: Molecule-AI/molecule-monorepo/.github/workflows/secret-scan.yml@main + uses: Molecule-AI/molecule-core/.github/workflows/secret-scan.yml@staging