ci(security-scan): declare workflow_call.secrets so callers can pass by name

[WomB0ComB0]

Summary

The reusable security-scan.yml consumes SEMGREP_APP_TOKEN, SNYK_TOKEN, and GITLEAKS_LICENSE inside its jobs but does not declare them under workflow_call. With no declaration, the only way a caller can supply them is secrets: inherit — which forwards all of the caller's secrets, not just the three this workflow needs. That trips zizmor's secrets-inherit audit (e.g. resq-software/programs code-scanning alert #11).

This PR declares the three secrets explicitly under workflow_call.secrets, all required: false (each is already gated by its matching enable-* input).

Why it's safe

• Backward-compatible — existing callers using secrets: inherit keep working unchanged.
• Opt-in named forwarding — callers can switch to e.g.

  secrets:
    SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

  to clear the zizmor warning.
• All three stay optional; omitting one leaves that scanner unconfigured (current behaviour).

Follow-up (dependent change)

After this merges, resq-software/programs PR #30 will be updated to pin the new security-scan.yml SHA and replace secrets: inherit with named forwarding of SEMGREP_APP_TOKEN, clearing alert #11. PR #30 already clears alert #10 (unpinned-uses) independently.

Test plan

• CI green (actionlint / zizmor self-scan).
• A caller PR forwarding SEMGREP_APP_TOKEN by name resolves and semgrep still runs.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Warning

Review limit reached

@WomB0ComB0, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 4 minutes and 7 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b7dfde69-ada6-4201-84e4-22a17abee5f2

📥 Commits

Reviewing files that changed from the base of the PR and between ee20019 and 50e35ec.

📒 Files selected for processing (1)

• .github/workflows/security-scan.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/declare-security-scan-secrets

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}