From 5c5ae76e5c43d98fd0e9e3330330bce47c77d607 Mon Sep 17 00:00:00 2001
From: min <min@rublox.pro>
Date: Tue, 2 Jun 2026 14:32:25 +0300
Subject: [PATCH] =?UTF-8?q?ci(secret-scan):=20=D0=B7=D0=B0=D0=BF=D0=B8?=
 =?UTF-8?q?=D0=BD=D0=B8=D1=82=D1=8C=20trufflehog=20v3.90.5=20(latest=203.9?=
 =?UTF-8?q?5.4=20=3D=20404=20=D0=BD=D0=B0=20=D0=B1=D0=B8=D0=BD=D0=B0=D1=80?=
 =?UTF-8?q?=D0=BD=D0=B8=D0=BA)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Upstream trufflehog latest-тег указывал на релиз без выложенного бинарника →
install HTTP 404 → secret-scan падал на всех PR. Пин на стабильную версию.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index ac64bbf..066e6f6 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -56,8 +56,12 @@ jobs:
           fetch-depth: 0
       - name: Install trufflehog
         run: |
+          # Версия ЗАПИНЕНА: 2026-06-02 latest-тег trufflehog (3.95.4) указывал
+          # на релиз без выложенного бинарника → install давал HTTP 404 и валил
+          # secret-scan у всех PR. Пин на стабильную версию убирает зависимость
+          # от свежести релизов upstream.
           curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh \
-            | sh -s -- -b /usr/local/bin
+            | sh -s -- -b /usr/local/bin v3.90.5
       - name: Run trufflehog
         run: |
           trufflehog git "file://$(pwd)" \