From 4bf4d911db96a06a6842ec3b4b2f3c636a6e24ef Mon Sep 17 00:00:00 2001
From: "kiloconnect[bot]" <240665456+kiloconnect[bot]@users.noreply.github.com>
Date: Wed, 4 Feb 2026 16:47:24 +0000
Subject: [PATCH 1/3] Add TruffleHog secret scanning workflow

---
 .github/workflows/trufflehog.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 .github/workflows/trufflehog.yml

diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
new file mode 100644
index 0000000000..81ac21f930
--- /dev/null
+++ b/.github/workflows/trufflehog.yml
@@ -0,0 +1,20 @@
+name: Secret Scanning
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  trufflehog:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Secret Scanning
+        uses: trufflesecurity/trufflehog@main
+        with:
+          extra_args: --results=verified,unknown

From f65125ec8b6a2d76420703e335bebdbbb1075c24 Mon Sep 17 00:00:00 2001
From: "kiloconnect[bot]" <240665456+kiloconnect[bot]@users.noreply.github.com>
Date: Wed, 4 Feb 2026 16:52:08 +0000
Subject: [PATCH 2/3] Pin TruffleHog action to v3.93.0

---
 .github/workflows/trufflehog.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
index 81ac21f930..c33b111c16 100644
--- a/.github/workflows/trufflehog.yml
+++ b/.github/workflows/trufflehog.yml
@@ -15,6 +15,6 @@ jobs:
         with:
           fetch-depth: 0
       - name: Secret Scanning
-        uses: trufflesecurity/trufflehog@main
+        uses: trufflesecurity/trufflehog@v3.93.0
         with:
           extra_args: --results=verified,unknown

From a2fbfce20a521a893f61270050b2b37d30c6c453 Mon Sep 17 00:00:00 2001
From: "kiloconnect[bot]" <240665456+kiloconnect[bot]@users.noreply.github.com>
Date: Wed, 4 Feb 2026 16:55:48 +0000
Subject: [PATCH 3/3] Add minimal permissions to TruffleHog workflow

---
 .github/workflows/trufflehog.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
index c33b111c16..02171a98dd 100644
--- a/.github/workflows/trufflehog.yml
+++ b/.github/workflows/trufflehog.yml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   trufflehog:
     runs-on: ubuntu-latest