ci: add release freeze gate

[HugoPBrito]

Context

Adds a release-freeze gate for pull requests and merge queue checks targeting master.

This PR prepares the repository-side check, but it does not enforce the freeze by itself. To block merges during a release, repository admins must apply the companion platform Terraform change that requires the release-freeze-gate status check on master:

• https://github.com/prowler-cloud/platform/pull/859

No issue linked. Draft PR opened to review the release-freeze approach before enabling enforcement.

Description

• Add a release-freeze-gate GitHub Actions workflow job for PRs targeting master.
• Add merge_group support so the same gate can run with merge queue validation.
• Fail the check when the repository variable RELEASE_FREEZE is set to true, TRUE, or True.
• Allow merges when RELEASE_FREEZE is unset, empty, false, or any other value.
• Update prepare-release to set RELEASE_FREEZE=true automatically when release preparation starts.

Operational behavior:

# prepare-release now does this automatically at release start
gh variable set RELEASE_FREEZE --body true --repo prowler-cloud/prowler

# unfreeze remains manual or handled by a future release-completion workflow
gh variable set RELEASE_FREEZE --body false --repo prowler-cloud/prowler

Required enforcement after this lands:

1. Merge this PR so the release-freeze-gate workflow exists on master and prepare-release can enable the freeze.
2. Apply the platform Terraform change from https://github.com/prowler-cloud/platform/pull/859.
3. Keep any emergency bypass actors managed through GitHub branch protection/ruleset configuration, not labels.

Important operational note: this PR automates enabling the freeze at release preparation time. It does not automatically disable the freeze after release completion yet. Release managers must set RELEASE_FREEZE=false manually unless/until we wire that into the release-completion path.

Steps to review

• Review .github/workflows/release-freeze-gate.yml.
• Review .github/workflows/prepare-release.yml.
• Confirm the workflow uses permissions: {} and does not checkout PR code in release-freeze-gate.
• Confirm prepare-release grants actions: write only for the job that updates the repository Actions variable.
• Confirm the intended required check context is release-freeze-gate.
• Confirm the external platform Terraform enforcement dependency is clear before enabling enforcement.

Validation run locally:

• uv run prek run check-yaml --files .github/workflows/release-freeze-gate.yml
• uv run prek run check-yaml --files .github/workflows/prepare-release.yml .github/workflows/release-freeze-gate.yml
• uv run prek run zizmor --files .github/workflows/release-freeze-gate.yml
• uv run prek run zizmor --files .github/workflows/prepare-release.yml .github/workflows/release-freeze-gate.yml
• Repository pre-commit hooks during commit, including check yaml, zizmor, and TruffleHog
• actionlint .github/workflows/release-freeze-gate.yml .github/workflows/prepare-release.yml was not run because actionlint is not installed locally

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? No
  • If so, do we need to update permissions for the provider? No

UI

• All issue/task requirements work as expected on the UI
• If this PR adds or updates npm dependencies, include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and explain why existing/native alternatives are insufficient.
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, uv, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 459bc0f7-9f1d-48d0-ae39-4abe6324dfb8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/release-freeze-gate

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.