feat(ci): require fast security scans on every PR (#327) (#330)

Add a per-PR security gate so secrets, vulnerable dependencies, and
workflow misconfigurations are caught at PR time instead of only in the
weekly Security suite — the gap that let AWS account IDs reach history
in #313.

- New security-pr.yml: range-scoped gitleaks + osv-scanner + zizmor on
  pull_request + merge_group. Secrets are scanned over the PR's own
  commit range (<base>..<head>), never an unbounded all-refs sweep, so a
  PR only fails on secrets it introduces.
- build.yml: add the merge_group trigger so build can become a required
  status check without deadlocking the merge queue (a check must report
  on merge_group to satisfy the queue).
- mise.toml: migrate security:secrets / :staged off the deprecated
  gitleaks detect/protect (removed from --help in v8.19.0) to
  `gitleaks git`; add security:secrets:range (GITLEAKS_RANGE-parameterized,
  defaults to HEAD, never an empty all-refs scan). security:secrets
  remains the full-history sweep used by the weekly security.yml.
- build.yml: correct the misleading MISE_DISABLE_TOOLS comment.

The required_status_checks ruleset rule, GitHub secret-scanning push
protection, and require_code_owner_review are repo settings (not code)
and are documented in the PR for an admin to apply.

Refs #327

Author: theagenticguy

.github/workflows/build.yml

@@ -0,0 +1,81 @@
+name: security-pr
+# Fast, required-on-PR security gate (issue #327). Catches the incident class
+# (#313: secrets reaching history because the scan only ran weekly) at PR time.
+#
+# Scope is deliberately the FAST scanners only — secrets (range-scoped),
+# dependencies, and workflow static-analysis — so this stays off the slow path
+# (<~3 min) and can be a required status check without throttling the inner loop.
+# The heavy image + SAST suite (trivy/grype/semgrep) runs in security.yml and is
+# tracked separately by #235; the full-history secret sweep also lives there.
+on:
+  pull_request: {}
+  # Must also run on merge_group so this check reports inside the merge queue;
+  # otherwise marking it a required check deadlocks the queue. See #327.
+  merge_group: {}
+  workflow_dispatch: {}
+
+# Least privilege: read the code, nothing else.
+permissions:
+  contents: read
+
+concurrency:
+  group: security-pr-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  secrets-deps-actions:
+    name: Secrets, deps, and workflow scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      contents: read
+    env:
+      CI: "true"
+      MISE_EXPERIMENTAL: "1"
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      AQUA_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          # Full history so the range scan can resolve the base ref. A shallow
+          # clone would leave origin/<base> unresolvable for the commit-range diff.
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Install mise
+        uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
+        with:
+          cache: true
+
+      - name: Resolve PR commit range
+        id: range
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          set -euo pipefail
+          case "$EVENT_NAME" in
+            pull_request)
+              # Scan exactly the commits this PR introduces.
+              echo "range=${PR_BASE_SHA}..${PR_HEAD_SHA}" >> "$GITHUB_OUTPUT"
+              ;;
+            merge_group|workflow_dispatch|*)
+              # In the merge queue (and on manual dispatch) there is no PR diff to
+              # scope to; scan the full reachable history as a backstop.
+              echo "range=" >> "$GITHUB_OUTPUT"
+              ;;
+          esac
+          echo "Resolved GITLEAKS_RANGE='$(tail -n1 "$GITHUB_OUTPUT" | cut -d= -f2-)'"
+
+      - name: Secret scan (gitleaks, PR range)
+        env:
+          GITLEAKS_RANGE: ${{ steps.range.outputs.range }}
+        run: mise run security:secrets:range
+
+      - name: Dependency scan (osv-scanner)
+        run: mise run security:deps
+
+      - name: Workflow static analysis (zizmor)
+        run: mise run security:gh-actions

.github/workflows/security-pr.yml

@@ -108,12 +108,23 @@ run = [
 ##################
 
 [tasks."security:secrets"]
-description = "Scan for secrets with gitleaks"
-run = "gitleaks detect --source . --no-banner"
+description = "Scan all git history for secrets with gitleaks (full-history sweep)"
+# `gitleaks git` (history-aware) replaces the deprecated `gitleaks detect`
+# (removed from --help in v8.19.0). With no --log-opts this scans the full
+# history reachable from the checkout, matching the previous behaviour.
+run = "gitleaks git . --no-banner --redact"
+
+[tasks."security:secrets:range"]
+description = "gitleaks over a commit range only (per-PR gate). Set GITLEAKS_RANGE, e.g. origin/main..HEAD"
+# Range-scoped scan: only the commits a branch/PR introduces, not full history.
+# Defaults to the full history when GITLEAKS_RANGE is unset so the task is safe
+# to run anywhere. The per-PR CI job sets GITLEAKS_RANGE=origin/$BASE..HEAD.
+run = 'gitleaks git . --no-banner --redact --log-opts="${GITLEAKS_RANGE:-}"'
 
 [tasks."security:secrets:staged"]
 description = "gitleaks on staged changes (pre-commit hook)"
-run = "gitleaks protect --staged --no-banner"
+# `gitleaks git --staged` replaces the deprecated `gitleaks protect --staged`.
+run = "gitleaks git . --staged --no-banner --redact"
 
 [tasks."security:sast"]
 description = "SAST scan with semgrep (auto + OWASP top 10)"