ci(pr-leakage): add caller stub for shared pr-leakage workflow

[btipling]

Summary

Add a one-file caller stub that wires this repo into the reusable pr-leakage-check workflow hosted in ConductorOne/github-workflows. The stub scans every PR's title, body, and commit messages for customer-identifying data and internal infra references.

What changed

• Add .github/workflows/pr-leakage.yaml — invokes ConductorOne/github-workflows/.github/workflows/pr-leakage-check.yaml@main on pull_request events of types opened, edited, synchronize, and reopened.

No source code changes.

Why

config-validation — Public repos must not name a specific customer or expose internal service topology in a permanent, world-readable artifact. The four trigger types cover the failure modes: a clean PR cannot have its body edited later to add a customer name without re-scanning, and new commit messages on a push are also scanned.

Test plan

• The reusable workflow's own self-test (in ConductorOne/github-workflows) covers the scanner against captured leaky and clean fixtures.
• After this stub lands, the next PR opened on this repo triggers the check.
• This PR's own title and body were scanned with the new tool and produced zero findings.

Risk

low — The workflow runs in the base-repo context with read-only GITHUB_TOKEN and pulls the scanner from @main of the shared repo, not from the PR head, so a fork PR cannot modify the scanner that runs on it. Failure surfaces as a check failure without blocking merge until a repo admin adds the check to required-checks.

Follow-ups

• Pin the uses: ref to a tagged version once ConductorOne/github-workflows cuts one.
• After a bake-in period, add pr-leakage / check to this repo's required checks.

Refs: ConductorOne/github-workflows#85

[ghost]

🟡 Suggestion: secrets: inherit forwards all repository secrets to the reusable workflow. Since the scanner only needs read access to PR metadata (and GITHUB_TOKEN is automatically available to reusable workflows), consider dropping this line to follow least-privilege. If the reusable workflow later adds a secrets: input, this would silently expose every repo secret to it.

Suggested change

secrets: inherit

[ghost]

General PR Review: ci(pr-leakage): add caller stub for shared pr-leakage workflow

Blocking Issues: 0 | Suggestions: 1 | Threads Resolved: 0
Review mode: full
View review run

Review Summary

This PR adds a single GitHub Actions workflow file (.github/workflows/pr-leakage.yaml) that wires the repo into a reusable pr-leakage-check workflow for scanning PR titles, bodies, and commit messages for customer-identifying data. The workflow is well-scoped with read-only permissions. One suggestion to tighten secret passing.

Security Issues

None found.

Correctness Issues

None found.

Suggestions

• secrets: inherit passes all repo secrets to the reusable workflow unnecessarily — .github/workflows/pr-leakage.yaml:18

Prompt for AI agents

Verify each finding against the current code and only fix it if needed.

## Suggestions

In `.github/workflows/pr-leakage.yaml`:
- Around line 18: `secrets: inherit` forwards all repository secrets to the reusable workflow. Since the scanner only needs read access to PR metadata and `GITHUB_TOKEN` is automatically available to reusable workflows, remove the `secrets: inherit` line to follow the principle of least privilege.

[ghost]

No blocking issues found.