Add finalize workflow for secure sonarcloud checks (#4820)

Author: alisonlhart

.github/workflows/finalize.yml

@@ -0,0 +1,25 @@
+---
+name: finalize
+on:
+  workflow_run:
+    workflows:
+      - tox
+    types:
+      - completed
+
+permissions: read-all
+
+jobs:
+  finalize:
+    if: |
+      github.event.workflow_run.conclusion == 'success' &&
+      (github.event.workflow_run.event == 'pull_request' ||
+       (github.event.workflow_run.event == 'push' && github.event.workflow_run.head_branch == 'main'))
+    uses: ansible/team-devtools/.github/workflows/finalize.yml@main
+    with:
+      run-id: ${{ github.event.workflow_run.id }}
+      workflow-event: ${{ github.event.workflow_run.event }}
+      head-sha: ${{ github.event.workflow_run.head_sha }}
+      head-branch: ${{ github.event.workflow_run.head_branch }}
+      head-repository: ${{ github.event.workflow_run.head_repository.full_name }}
+    secrets: inherit