From af37e32960011c4b19437e8dbab1e1161927b13e Mon Sep 17 00:00:00 2001
From: hyperpolymath <hyperpolymath@users.noreply.github.com>
Date: Thu, 28 May 2026 14:31:16 +0100
Subject: [PATCH] fix(ci): bump secret-scanner SHA pin to pick up comment-line
 exemption

Bumps the secret-scanner-reusable.yml pin from 3e4bd4c to 28fdf19
(standards#236: adds pragma + param-expansion + comment-line exemptions).

The fix-hardcoded-secrets.sh line 11 (#   Shell: PASSWORD="hardcoded"...)
is a comment that documents the before-pattern this script rewrites, not
a real credential. The scanner's new comment-line exemption (layer 3) skips
all lines where the leading non-whitespace character is '#', so no code
change to fix-hardcoded-secrets.sh is required.

Fixes: scan / shell-secrets persistent red on main.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/secret-scanner.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
index 097d2af9..f10dae8a 100644
--- a/.github/workflows/secret-scanner.yml
+++ b/.github/workflows/secret-scanner.yml
@@ -15,5 +15,5 @@ permissions:
 
 jobs:
   scan:
-    uses: hyperpolymath/standards/.github/workflows/secret-scanner-reusable.yml@3e4bd4c93911750727e2e4c66dff859e00079da0
+    uses: hyperpolymath/standards/.github/workflows/secret-scanner-reusable.yml@28fdf197963c898e6bb80053c74b8d886f1c189d
     secrets: inherit