chore(ci): enroll in org-wide secret-scan reusable workflow (Molecule-AI/molecule-core#2109)
This commit is contained in:
rabbitblood
parent
8fe23423ba
commit
61f8d037bc
22
.github/workflows/secret-scan.yml
vendored
Normal file
22
.github/workflows/secret-scan.yml
vendored
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
name: Secret scan
|
||||||
|
|
||||||
|
# Calls the canonical reusable workflow in molecule-core. Defense
|
||||||
|
# against the #2090-class leak (a hosted-agent commit slipping a
|
||||||
|
# credential-shaped string into a PR). Pattern set lives in
|
||||||
|
# molecule-core so we do not maintain a parallel copy here.
|
||||||
|
#
|
||||||
|
# Pinned to @staging because that is the active default branch on the
|
||||||
|
# upstream repo (main lags behind via the staging-promotion workflow).
|
||||||
|
# Updates ride along automatically as the upstream regex set evolves.
|
||||||
|
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
types: [opened, synchronize, reopened]
|
||||||
|
push:
|
||||||
|
branches: [main, staging, master]
|
||||||
|
merge_group:
|
||||||
|
types: [checks_requested]
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
secret-scan:
|
||||||
|
uses: Molecule-AI/molecule-core/.github/workflows/secret-scan.yml@staging
|
||||||
Loading…
Reference in New Issue
Block a user