From 175d7363cf81ccf3da01b2e5ef360755a9608162 Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Sun, 17 May 2026 03:00:34 +0100
Subject: [PATCH] ci: repin trufflehog off unresolvable moving-main SHA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

trufflesecurity/trufflehog@7ee2e0fd… (a SHA from upstream's moving
`main`, since GC'd) no longer resolves -> the job hard-fails at
"Set up job". Repin to released tag v3.92.3 (canonical pin used by
reposystem/v3-templater quality.yml).

Refs hyperpolymath/standards#82

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/secret-scanner.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
index 79cb88b..e12c19e 100644
--- a/.github/workflows/secret-scanner.yml
+++ b/.github/workflows/secret-scanner.yml
@@ -19,7 +19,7 @@ jobs:
           fetch-depth: 0  # Full history for scanning
 
       - name: TruffleHog Secret Scan
-        uses: trufflesecurity/trufflehog@7ee2e0fdffec27d19ccbb8fb3dcf8a83b9d7f9e8 # v3
+        uses: trufflesecurity/trufflehog@05cccb53bc9e13bc6d17997db5a6bcc3df44bf2f # v3.92.3
         with:
           # The v3 action injects --fail automatically on pull_request events.
           # Passing --fail here triggers "flag 'fail' cannot be repeated".