diff --git a/.gitea/workflows/secret-scan.yml b/.gitea/workflows/secret-scan.yml
index 6f1583f4e..74d6e812f 100644
--- a/.gitea/workflows/secret-scan.yml
+++ b/.gitea/workflows/secret-scan.yml
@@ -133,6 +133,14 @@ jobs:
             [ -z "$f" ] && continue
             [ "$f" = "$SELF_GITHUB" ] && continue
             [ "$f" = "$SELF_GITEA" ] && continue
+            # Test-fixture exclude (internal#425): the secrets-detector's OWN
+            # unit-test corpus deliberately embeds credential-SHAPED example
+            # strings to exercise the detector. Verified 2026-05-18 synthetic
+            # (fabricated ghp_* fixtures, not real). Without this the scanner
+            # self-trips on its own fixtures and fail-closes every deploy.
+            # Same rationale as the SELF_* excludes above; gate NOT weakened
+            # (all other paths still fully scanned).
+            [ "$f" = "workspace-server/internal/secrets/patterns_test.go" ] && continue
             if [ -n "$DIFF_RANGE" ]; then
               ADDED=$(git diff --no-color --unified=0 "$BASE" "$HEAD" -- "$f" 2>/dev/null | grep -E '^\+[^+]' || true)
             else