Add support for reusable workflows in setup-ci

[chris3ware]

Trunk's code quality GitHub integration can be customised using a composite GitHub Action. But, secrets must be passed as inputs into this type of action. I'm not sure it's possible to tell trunk to fetch a repository secret and pass it as an input to the composite action - happy to be corrected though :-) Whereas a reusable workflows have access to the secrets context.

To give some context, here is a snippet from my composite action to set up AWS credentials and tflint for deep checking the AWS plugin

    # AWS Credentials required for tflint deep check
    - name: Configure AWS credentials via OIDC
      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        aws-region: us-east-1
        mask-aws-account-id: true
        role-to-assume: ${{ secret_role_name }}
        role-session-name: tflint-trunk-check

    # Install TFLint; required to download plugins
    - uses: terraform-linters/setup-tflint@15ef44638cb215296e7ba9e7a41f20b5b06f4784 # v4.0.0
      name: Setup TFLint
      with:
        tflint_version: v0.53.0

    # Install OpenTofu; required to initialise working directory
    - name: Setup OpenTofu
      uses: opentofu/setup-opentofu@ae80d4ecaab946d8f5ff18397fbf6d0686c6d46a # v1.0.3

    # Initialise OpenTofu in the directory where terraform file have changed.
    # TFLint initialisation required to download plugins
    - name: Initialise OpenTofu and TFLint
      shell: bash
      env:
        TF_DIRS: ${{ steps.tf-dir.outputs.all_changed_files }}
      run: |
        for dir in ${TF_DIRS}; do
          tofu -chdir=$GITHUB_WORKSPACE/$dir init --backend=false && \
          tflint -chdir=$GITHUB_WORKSPACE/$dir --init --config=$GITHUB_WORKSPACE/.trunk/configs/.tflint.hcl
        done

---

Running locally works providing I am logged in to AWS and the environment variables for AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN are set and they are passed to the tflint definition in trunk.yaml:

  definitions:
    - name: tflint
      environment:
        - name: TFLINT_CONFIG_FILE
          value: ${workspace}/.trunk/configs/.tflint.hcl
        - name: TFLINT_PLUGIN_DIR
          value: ${workspace}/.trunk/plugins/
        - name: AWS_ACCESS_KEY_ID
          value: ${env.AWS_ACCESS_KEY_ID}
        - name: AWS_SECRET_ACCESS_KEY
          value: ${env.AWS_SECRET_ACCESS_KEY}
        - name: AWS_SESSION_TOKEN
          value: ${env.AWS_SESSION_TOKEN}

The problem I am trying to overcome is pulling the role-to-assume parameter of the aws-configure-credentials action from a repository secret in the setup-ci action so what I have working locally will also work in CI, without exposing the name of the role in the configuration.

Reusable workflows also support token permissions, meaning the correct permissions (id-token: write) could be set for OIDC authentication.