ci: fix secret passing into reusable wokflow (#541)

* update secrets

Signed-off-by: Asra Ali <asraa@google.com>

Author: asraa

.github/workflows/reuseable-snapshot-timestamp.yml

@@ -19,6 +19,13 @@ name: Snapshot and Timestamp Template
 # TODO(asraa): Create user workflows for repository-beta/, and ceremony/ flows.
 on:
   workflow_call:
+    secrets:
+      token:
+        description: >
+          Optional token.
+          This argument is passed, unchanged, to the job that creates the pull request.
+        required: false
+        default: ${{ github.token }}
     inputs:
       snapshot_key:
         description: 'Sets the snapshotting key reference'
@@ -51,10 +58,6 @@ on:
         required: false
         default: true
         type: boolean
-      token:
-        description: 'GitHub token used to create the PR. This allows the PR to trigger CI workflows'
-        required: false
-        default: ${{ github.token }}
 
 jobs:
   snapshot_and_timestamp:
@@ -137,8 +140,6 @@ jobs:
     permissions:
       pull-requests: 'write'
       contents: 'write'
-    secrets:
-      token: ${{ input.token }}
     steps:
       - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
         with:
@@ -157,6 +158,7 @@ jobs:
           branch: update-snapshot-timestamp
           signoff: true
           reviewers: asraa,dlorenc,haydentherapper,joshuagl
+          token: ${{ secrets.token }}
 
   if-push-failed:
     runs-on: ubuntu-latest

.github/workflows/stable-snapshot-timestamp.yml

@@ -46,4 +46,5 @@ jobs:
       repo: 'repository/'
       provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
       service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com'
+    secrets:
       token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }}