From 50e35ec11de7af816d9b1c42f3b64e07118a3260 Mon Sep 17 00:00:00 2001
From: Mike Odnis <mike@mikeodnis.dev>
Date: Sun, 31 May 2026 20:06:20 -0400
Subject: [PATCH] ci(security-scan): declare workflow_call.secrets so callers
 can pass by name

The reusable security-scan workflow consumes SEMGREP_APP_TOKEN, SNYK_TOKEN
and GITLEAKS_LICENSE in its jobs but did not declare them under
workflow_call, forcing callers to use `secrets: inherit` -- which forwards
ALL of the caller's secrets and trips zizmor's `secrets-inherit` audit
(e.g. resq-software/programs alert #11). Declare them explicitly (all
required: false, each gated by its enable-* input). Backward-compatible.
---
 .github/workflows/security-scan.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 642989d..dff2edc 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -72,6 +72,21 @@ on:
         required: false
         default: ""
 
+    # Declared so callers can forward these by name instead of `secrets:
+    # inherit` (which hands this workflow ALL of the caller's secrets and
+    # trips zizmor's `secrets-inherit` audit). All optional, each gated by
+    # its matching `enable-*` input, so omitting one is a no-op.
+    secrets:
+      GITLEAKS_LICENSE:
+        description: GitLeaks license key. Used only when enable-gitleaks is true.
+        required: false
+      SEMGREP_APP_TOKEN:
+        description: Semgrep App token. Used only when enable-semgrep is true.
+        required: false
+      SNYK_TOKEN:
+        description: Snyk token. Used only when enable-snyk is true.
+        required: false
+
 permissions:
   contents: read
   security-events: write   # CodeQL + SARIF uploads