From 231d04c353848b6efb06ffd044a37081afa65e2a Mon Sep 17 00:00:00 2001
From: gapview01 <107860548+gapview01@users.noreply.github.com>
Date: Mon, 11 May 2026 19:53:21 +1000
Subject: [PATCH] ci(security): pin trufflesecurity/trufflehog@v3.88.18

@main was unstable: 2026-05-11 goblin_ui PR #425 hit a 502 pulling
trufflehog:latest, breaking the security/secrets job. Pin to v3.88.18
(same version goblin_ui and goblin_bot adopted) so the fleet's
secret-scan job has a deterministic image source.

iac fleet sweep per po/docs/audits/pre-commit-hooks-bug-review-001.md v7 #42.

Dispatched-By: iac
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 38fc524..45d5229 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -86,7 +86,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Secret scan
-        uses: trufflesecurity/trufflehog@main
+        uses: trufflesecurity/trufflehog@v3.88.18
         with:
           extra_args: --only-verified