Merge pull request #8 from Molecule-AI/chore/enroll-secret-scan

chore(ci): enroll in org-wide secret-scan reusable workflow (Molecule-AI/molecule-core#2109)
2026-04-29 13:48:42 -07:00 · 2026-04-29 13:48:42 -07:00 · 1dca06bd12
commit 1dca06bd12
parent 87a6fcf7ef f3241cde20
1 changed files with 22 additions and 0 deletions
--- a/.github/workflows/secret-scan.yml
+++ b/.github/workflows/secret-scan.yml
@ -0,0 +1,22 @@
+name: Secret scan
+
+# Calls the canonical reusable workflow in molecule-core. Defense
+# against the #2090-class leak (a hosted-agent commit slipping a
+# credential-shaped string into a PR). Pattern set lives in
+# molecule-core so we do not maintain a parallel copy here.
+#
+# Pinned to @staging because that is the active default branch on the
+# upstream repo (main lags behind via the staging-promotion workflow).
+# Updates ride along automatically as the upstream regex set evolves.
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches: [main, staging, master]
+  merge_group:
+    types: [checks_requested]
+
+jobs:
+  secret-scan:
+    uses: Molecule-AI/molecule-core/.github/workflows/secret-scan.yml@staging