diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
index 4e0616c..4c037ad 100644
--- a/.github/workflows/secret-scanner.yml
+++ b/.github/workflows/secret-scanner.yml
@@ -159,7 +159,9 @@ jobs:
         continue-on-error: true
         uses: trufflesecurity/trufflehog@8a8ef8526528d8a4ff3e2c90be08e25ef8efbd9b # v3
         with:
-          extra_args: --only-verified --fail
+          # The v3 action injects --fail automatically on pull_request events.
+          # Passing --fail here triggers "flag 'fail' cannot be repeated".
+          extra_args: --only-verified
 
       - name: Immediate dispatch (TruffleHog finding)
         if: steps.trufflehog_scan.outcome == 'failure'
@@ -330,4 +332,4 @@ jobs:
         if: steps.rust_secret_check.outcome == 'failure'
         run: |
           echo "::error::Rust hardcoded-secret check failed."
-          exit 1
+          exit 1
\ No newline at end of file