From 26661ec30e8b65bccab412083dbd72f5d2fb3932 Mon Sep 17 00:00:00 2001
From: "mendral-app[bot]" <233154221+mendral-app[bot]@users.noreply.github.com>
Date: Wed, 4 Feb 2026 23:07:07 -0800
Subject: [PATCH] Pin trufflehog action to SHA for supply chain security

Pin trufflesecurity/trufflehog to commit a633174c3b2242aa1b6f8941d2ad6a99e0305964
instead of mutable main branch reference to prevent supply chain attacks.
---
 .github/workflows/secrets.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/secrets.yaml b/.github/workflows/secrets.yaml
index ad60ee6..0932e59 100644
--- a/.github/workflows/secrets.yaml
+++ b/.github/workflows/secrets.yaml
@@ -13,6 +13,7 @@ jobs:
       - uses: "actions/checkout@v4"
         with:
           fetch-depth: 0
-      - uses: "trufflesecurity/trufflehog@main"
+      # Pinned to SHA for supply chain security (main branch as of 2024)
+      - uses: "trufflesecurity/trufflehog@a633174c3b2242aa1b6f8941d2ad6a99e0305964"
         with:
           extra_args: "--results=verified,unknown"