Nice, this overall looks great! I'm not familiar with the workflow_call/workflow_run distinction, though, so I haven't looked closely at that. (It looks reasonable, though.)

Another change you might want to make is to list shellcheck as an additional_dependency of actionlint -- I made this change to Ruff's pre-commit config: https://github.com/astral-sh/ruff/blob/0837cdd9314cb9ee1df087142af975d492e3e7ba/.pre-commit-config.yaml#L103-L121. actionlint's shellcheck integration is very useful (it grabs the shell-script strings in GitHub Actions run: steps and passes them to shellcheck), but it's not enabled by default when actionlint is run as part of pre-commit, as actionlint's shellcheck integration only works if shellcheck is already installed.

LGTM