PYTHON-5348 Run GitHub Actions Scan as Part of Python Release (#1000)

Author: blink1073

.github/workflows/codeql-actions.yml

@@ -10,6 +10,11 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '17 10 * * 2'
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
 
 jobs:
   analyze-python:
@@ -27,6 +32,7 @@ jobs:
       uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        ref: ${{ inputs.ref }}
         persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.

.github/workflows/release-python.yml

@@ -61,14 +61,20 @@ jobs:
     with:
       ref: ${{ needs.pre-publish.outputs.version }}
 
-  static-scan:
+  static-python:
     needs: [pre-publish]
     uses: ./.github/workflows/codeql-python.yml
     with:
       ref: ${{ needs.pre-publish.outputs.version }}
 
+  static-actions:
+    needs: [pre-publish]
+    uses: ./.github/workflows/codeql-actions.yml
+    with:
+      ref: ${{ needs.pre-publish.outputs.version }}
+
   publish:
-    needs: [build-dist, static-scan]
+    needs: [build-dist, static-python, static-actions]
     name: Upload release to PyPI
     runs-on: ubuntu-latest
     environment: release-python