fix(reusable-security-scan): actions/checkout@v6 drops GITHUB_TOKEN on deep fetch

[BryanFRD]

Surfaced on FerrLabs/Changelog's nightly Security scan (2026-05-23 cron at 06:00 UTC, and a manual rerun at 16:02).

Symptom

actions/checkout@v6 with fetch-depth: 0 fails inside our reusable workflow with:

[command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules origin +refs/heads/*:refs/remotes/origin/* +refs/tags/*:refs/tags/*
##[error]fatal: could not read Username for 'https://github.com': terminal prompts disabled

Then 2 retries (15s apart) before failing with exit 128. The extraheader injection step (git config http.https://github.com/.extraheader AUTHORIZATION: basic ***) IS executed earlier in the same step, but doesn't apply to this specific fetch ref-spec. Looks like a v6 regression on how it propagates GITHUB_TOKEN to the second 'unshallow' fetch.

Affected jobs

• gitleaks — flaky (sometimes pass, sometimes fail)
• trufflehog (deep history, cron-only) — consistently fail on Changelog
• osv-scanner — still passes (probably because no deep fetch needed)

The result: gitleaks alternates red/green and trufflehog never runs.

Fix

Pin actions/checkout@v6 → actions/checkout@v5 in all three jobs. v5 is stable and known-working with our fetch-depth: 0 use case.

Out of scope

The actual GitHub bug ticket on actions/checkout — would be worth filing upstream with a minimal repro.