From b8988ad2fd6ba945ad095a24bbc4205efa3ec31a Mon Sep 17 00:00:00 2001
From: Recovery Script <recovery@phenotype.local>
Date: Sun, 7 Jun 2026 06:40:04 -0700
Subject: [PATCH] ci(workflows): fix trufflehog rot (replaces fake SHA + wrong
 repo path)

The previous pin (commit cac3d16) used:
  trufflehog/actions/setup@17456cf5a9c8be7821b4dc568702b5f43650a8ad
The SHA is fake (not in trufflesecurity/trufflehog or trufflehog/actions),
and the reference name is wrong (trufflehog/actions/ repo 404s).

Replaced with the working pattern:
  trufflesecurity/trufflehog@75add79b929b263dae147d2e5bcf0daf292165cf
(2026-06-05; the same SHA PhenoMCP, PhenoSpecs, phenotype-registry#61,
thegent#1096, FocalPoint#100 use.)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/trufflehog.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
index c1de806..8dbaf81 100644
--- a/.github/workflows/trufflehog.yml
+++ b/.github/workflows/trufflehog.yml
@@ -18,7 +18,9 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
-      - uses: trufflehog/actions/setup@17456cf5a9c8be7821b4dc568702b5f43650a8ad  # was: @main
-      - run: trufflehog github --only-verified --no-update
-        env:
-          GH_TOKEN: \${{ github.token }}
+      - uses: trufflesecurity/trufflehog@75add79b929b263dae147d2e5bcf0daf292165cf
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
+          extra_args: --only-verified --fail --no-update