fix(ci): security-pr gitleaks scans full history on merge_group, deadlocking the merge queue

[scottschreckengaust]

Problem

security-pr.yml (required check, #327) resolves GITLEAKS_RANGE to empty on merge_group events, so mise run security:secrets:range falls back to scanning the entire reachable history (335 commits) instead of just the commits being merged.

The full history contains the known historical aws-account-id findings from 0dca217 (#313). Those are suppressed by .gitleaksignore on pull_request runs of the same range scan, but on the merge-queue checkout the scan reports leaks found: 2 and fails — see job 81132907683.

Impact: P0 — every PR entering the merge queue fails the required Secrets, deps, and workflow scan check. The merge queue is effectively deadlocked (e.g. PR #334).

Root cause

In the Resolve PR commit range step, the merge_group|workflow_dispatch|*) case sets range="" "as a backstop". The full-history backstop belongs to the weekly security.yml sweep — not to a fast required PR gate, and there is no exclusion that makes a full-history scan pass there.

Fix

Scope the merge_group case to exactly the commits in the merge group using the event payload:

• range=${{ github.event.merge_group.base_sha }}..${{ github.event.merge_group.head_sha }}

This mirrors how build.yml already consumes github.event.merge_group.*. workflow_dispatch keeps the full-history fallback (manual, not a required check).

Acceptance criteria

• merge_group runs of security-pr scan only the merge-group commit range
• Merge queue check passes for PRs with clean diffs (unblocks fix(security): bump esbuild to >=0.28.1 to clear GHSA-gv7w-rqvm-qjhr (high) and GHSA-g7r4-m6w7-qqqr #334)
• pull_request behaviour unchanged

[scottschreckengaust]

Starting implementation