fix: clean up reusable workflow inputs and bump action versions (INT-1582)

[glaracuente]

what

• lint.yaml:
  • Drop the head-ref input and GITHUB_TOKEN secret from workflow_call.
  • Pin the checkout ref to refs/pull/{number}/merge
  • Set fetch-depth: 0
• release-please.yaml: Bump actions/create-github-app-token to v3.2.0 and googleapis/release-please-action to v5.0.0.
• tf-test.yaml: Remove the GITHUB_TOKEN secret from workflow_call.
• zizmor.yaml: Deleted

why

• head-ref input and GITHUB_TOKEN are already available in the context of the workflow run, and there was no need to pass these in
• Pin the checkout ref to refs/pull/{number}/merge so callers triggering on pull_request_target lint the feature-branch code (no-op for pull_request callers).
• Set fetch-depth: 0 so Trunk can compute the PR diff against the base — the default shallow clone has no merge-base, and persist-credentials: false strips the token before Trunk's on-the-fly fetch can succeed.
• Any actions bumped were just because I figured it would be a good chance to get up to date as an easy win here
• the Zizmor workflow is no longer needed, since we are using the zizmor plugin in trunk, and it ends up running as part of our lint workflow
• Note on permissions: Caller-job permissions act as a ceiling — the reusable workflow can scope down within them, but cannot exceed them. Although not strictly required (can be omitted in this repo), declaring permissions in both places makes it clear where each scope is needed and why.
• Example of how these will be called is in this terraform-spacelift-automation PR

references

• INT-1582

Summary by CodeRabbit

• Chores
  • Updated CI workflows for improved maintainability and pinned action versions for release automation.
  • Simplified lint and test workflow triggers and removed mandatory token input requirements.
  • Enhanced checkout behavior to fetch full history for accurate diff computations.
  • Removed the dedicated security scanning workflow from the CI/CD pipeline.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 10614d46-8702-43a4-8ed9-dfe7ab646b6b

📥 Commits

Reviewing files that changed from the base of the PR and between c1e9b85 and ae2fa0b.

📒 Files selected for processing (1)

• .github/workflows/release-please.yaml

---

📝 Walkthrough

Walkthrough

This pull request updates GitHub Actions workflows: lint and tf-test remove required workflow_call inputs/secrets; lint checkout now uses a PR merge ref and fetches full history; release-please action SHAs are updated.

Changes

Workflow Updates

Layer / File(s)	Summary
Workflow callable interfaces simplified .github/workflows/lint.yaml, .github/workflows/tf-test.yaml	Lint and tf-test workflows remove declared workflow_call requirements: head-ref input and GITHUB_TOKEN secret are no longer required; workflow_call is empty for lint.
Lint workflow checkout logic updated .github/workflows/lint.yaml	Checkout ref changed from inputs.head-ref to a computed refs/pull/{number}/merge using github.event.number, and fetch-depth set to 0 to fetch full history for Trunk diff computation.
Action dependency versions bumped .github/workflows/release-please.yaml	Pinned SHAs updated: actions/create-github-app-token moved to v3.2.0, googleapis/release-please-action moved to v5.0.0.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• masterpointio/actions#1: Introduced the reusable workflows that are modified in this PR.
• masterpointio/actions#2: Also modifies .github/workflows/lint.yaml checkout behavior and callable interface.

Suggested reviewers

• Gowiem
• oycyc

Poem

🐰 I hopped through CI so spry and neat,
I trimmed the calls and tuned the feat.
Merge refs now fetch the forest whole,
Actions updated, workflows stroll.
Bye-bye Zizmor—off for a treat!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: cleaning up reusable workflow inputs and bumping action versions across multiple workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/INT-1582/fix_errors_from_testing

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-please.yaml:
- Around line 27-31: The create-github-app-token step (uses:
actions/create-github-app-token@..., id: generate-token) currently inherits all
installation permissions; update that step to pass explicit permission-<name>
inputs to scope the token to least privilege required by the release workflow
(for example add permission-contents: write, permission-pull-requests: write,
permission-issues: write and permission-metadata: read) so the generated token
only grants those specific rights instead of all installation permissions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: efba5c93-3f69-4e53-891b-59a715b79a69

📥 Commits

Reviewing files that changed from the base of the PR and between e0014f7 and c1e9b85.

📒 Files selected for processing (4)

• .github/workflows/lint.yaml
• .github/workflows/release-please.yaml
• .github/workflows/tf-test.yaml
• .github/workflows/zizmor.yaml

💤 Files with no reviewable changes (2)

• .github/workflows/zizmor.yaml
• .github/workflows/tf-test.yaml

[Gowiem]