fix(ci): scope merge_group gitleaks scan to the merge-group commit range

[scottschreckengaust]

Summary

Closes #336 (P0). Unblocks the merge queue (currently deadlocking PR #334).

On merge_group events, the Resolve PR commit range step in security-pr.yml set GITLEAKS_RANGE to empty, so the "range" scan fell back to the full reachable history (335 commits). The full history re-reports the historical #313 aws-account-id findings, so the required Secrets, deps, and workflow scan check fails for every PR entering the merge queue — see job 81132907683:

gitleaks git . --no-banner --redact --log-opts=""
INF 335 commits scanned.
WRN leaks found: 2
ERROR task failed

Fix

Add a dedicated merge_group case that scopes the scan to exactly the commits being merged, using the event payload (same source build.yml already uses):

range=${{ github.event.merge_group.base_sha }}..${{ github.event.merge_group.head_sha }}

• pull_request behaviour unchanged (base.sha..head.sha)
• workflow_dispatch keeps the full-history backstop (manual run, not a required check)

Verification

• mise run security:gh-actions (zizmor): no findings
• Draft → the real test is this PR's own merge-queue run; the pull_request run of security-pr on this PR exercises the unchanged path

Note

Pushed as a draft without waiting for the full local build, per maintainer direction — this is a CI-only YAML change and the queue is blocked.

[krokoko]

Fix merged, closing this one