Static Analysis Report - 2026-02-22

[github-actions[bot]]

Analysis Summary

• Tools Used: zizmor, poutine, actionlint
• Scan Date: 2026-02-22
• Workflow Run: §22271961680
• Total Findings: 355 (344 actionlint + 11 poutine + 0 zizmor)
• Workflows Scanned: 158
• Workflows Affected by actionlint: 151
• Compiler Errors: 0 (all workflows compiled successfully)

Findings by Tool

Tool	Total	Critical	High	Medium	Warning	Info/Style
zizmor (security)	0	0	0	0	0	0
poutine (supply chain)	11	0	0	0	1	10
actionlint (linting)	344	—	—	—	—	344 errors

Note: Zizmor produced 0 findings. The 11 poutine findings are equivalent to last scan's 11 zizmor findings — same underlying issues, different tool attribution.

---

Clustered Findings by Tool and Type

Actionlint Linting Issues

Issue Type	Rule	Count	Unique Workflows
Grouped redirects suggestion	SC2129 (style)	164	151
Single-quote escape syntax	SC1003 (info)	158	23
Undefined precompute job outputs	[expression]	22	4
Undefined check_ci_status outputs	[expression]	6	1
Undefined release outputs	[expression]	3	1
Undefined output property	[expression]	1	1

SC2129 is present across 151 workflows because it is generated by the compiled workflow template — all lock files share the same shell script pattern. This is a style suggestion inherent to the gh-aw compiler output.

SC1003 affects 23 workflows with single-quote escaping issues in --allow-domains argument strings.

Poutine Supply Chain Findings

Issue Type	Severity	Count	Affected Files
unverified_script_exec	info	4	copilot-setup-steps.yml, daily-copilot-token-report
github_action_from_unverified_creator_used	info	4	(4 generic occurrences)
unpinnable_action	info	2	daily-perf-improver/build-steps, daily-test-improver/coverage-steps
pr_runs_on_self_hosted	warning	1	smoke-copilot-arm

Zizmor Security Findings

No findings. Zizmor scanned 158 files and produced zero security alerts.

---

Top Priority Issues

1. expression:precompute_undefined — Actionlint Error

• Tool: actionlint
• Count: 22 occurrences
• Severity: Error
• Affected: bot-detection (12), hourly-ci-cleaner (6), release (3), issue-monster (1)
• Description: Jobs reference needs.precompute.outputs.* or needs.check_ci_status.outputs.* without declaring those jobs in their needs: list. Actionlint cannot type-check the output keys.
• Impact: Potential runtime failures if job execution order isn't enforced; breaks static analysis confidence.
• Reference: https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-syntax-expression

2. unverified_script_exec — Poutine Warning

• Tool: poutine
• Count: 4 occurrences
• Severity: info
• Affected: copilot-setup-steps.yml (lines 17, 42), daily-copilot-token-report (lines 349, 361)
• Description: curl ... | bash and curl ... | sh patterns pipe remote scripts directly into a shell without cryptographic integrity verification.
• Impact: Supply chain risk — a compromised remote server or MITM could inject malicious code.

3. pr_runs_on_self_hosted — Poutine Warning

• Tool: poutine
• Count: 1
• Severity: warning
• Affected: smoke-copilot-arm (line 347, runs-on: ubuntu-24.04-arm)
• Description: A PR-triggered workflow runs on a self-hosted runner, which can expose the runner to untrusted pull request code.

---

Fix Suggestion for expression:precompute_undefined

Issue: Jobs reference needs.precompute.outputs.* without declaring precompute in needs:
Severity: Error
Affected Workflows: 4 workflows (22 occurrences)

Prompt to Copilot Agent:

You are fixing a workflow linting error identified by actionlint in the github/gh-aw repository.

**Vulnerability**: Expression error — `needs.precompute` is referenced but not declared as a dependency
**Rule**: actionlint [expression] — property not defined in object type {}
**Reference**: https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-syntax-expression

**Current Issue**:
Jobs in these workflow Markdown source files reference `needs.precompute.outputs.*` or
`needs.check_ci_status.outputs.*` in their `env:` blocks, but they do not declare those
upstream jobs in their `needs:` field. This causes actionlint type errors because the
outputs object type is `{}` (empty) from actionlint's perspective.

**Affected Files**:
- `.github/workflows/bot-detection.md` — 12 expression errors for `needs.precompute.outputs.*`
- `.github/workflows/hourly-ci-cleaner.md` — 6 errors for `needs.precompute` + 6 for `needs.check_ci_status`
- `.github/workflows/release.md` — 3 errors for `needs.precompute.outputs.*`
- `.github/workflows/issue-monster.md` — 1 error for `needs.precompute.outputs.*`

**Required Fix**:
For each affected job that uses `needs.precompute.outputs.*`, add `precompute` to that job's
`needs:` list. Similarly for `check_ci_status`.

**Example**:

Before:
```yaml
jobs:
  precompute:
    runs-on: ubuntu-latest
    outputs:
      action: $\{\{ steps.compute.outputs.action }}
      issue_body: $\{\{ steps.compute.outputs.issue_body }}

  agent:
    # no needs: declared
    env:
      GH_AW_NEEDS_PRECOMPUTE_OUTPUTS_ACTION: $\{\{ needs.precompute.outputs.action }}
```

After:
```yaml
jobs:
  precompute:
    runs-on: ubuntu-latest
    outputs:
      action: $\{\{ steps.compute.outputs.action }}
      issue_body: $\{\{ steps.compute.outputs.issue_body }}

  agent:
    needs: [precompute]
    env:
      GH_AW_NEEDS_PRECOMPUTE_OUTPUTS_ACTION: $\{\{ needs.precompute.outputs.action }}
```

After making changes, recompile with `gh aw compile` and verify the expression errors are gone.

---

Detailed Actionlint Findings by Workflow

Expression Errors (22 total)

bot-detection (12 errors)

• Lines 98–101, 202–205, 224–227: needs.precompute.outputs.action, issue_body, issue_number, issue_title — referenced in 3 separate jobs, 4 outputs each

hourly-ci-cleaner (6 errors)

• needs.precompute.outputs.* (multiple) + needs.check_ci_status.outputs.*

release (3 errors)

• needs.precompute.outputs.* in 1 job, 3 output keys

issue-monster (1 error)

• 1 reference to needs.precompute.outputs.*

SC1003 Top Affected Workflows

Workflow	Occurrences
typist	20
semantic-function-refactor	12
daily-mcp-concurrency-analysis	12
go-logger	10
step-name-alignment	8
layout-spec-maintainer	8
glossary-maintainer	8
delight	8
daily-file-diet	8
daily-doc-updater	8
daily-compiler-quality	8

SC2129 Note

SC2129 appears in 151 of 158 workflows because it is generated by the compiled workflow template. The pattern cat << 'GH_AW_PROMPT_EOF' > "$GH_AW_PROMPT" followed by subsequent >> appends triggers this style suggestion. It is a compiler output artifact and not a per-workflow issue.

Compiler Warnings (25 total)

• 6× Using experimental feature: safe-inputs
• 3× Using experimental feature: rate-limit
• 7× Unable to resolve action version dynamically (actions/checkout, setup-node, setup-go, docker/* actions)
• 2× Engine 'copilot' does not support web-search tool
• 1× example-permissions-warning.md — missing contents: write, issues: write, pull-requests: write permissions (intentional example workflow)

Poutine Findings Detail

unverified_script_exec (4 findings)

File	Line	Command
copilot-setup-steps.yml	17	curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash
copilot-setup-steps.yml	42	curl -LsSf (astral.sh/redacted) | sh
daily-copilot-token-report.lock.yml	349	curl -fsSL .../install-gh-aw.sh | bash
daily-copilot-token-report.lock.yml	361	curl -LsSf (astral.sh/redacted) | sh

unpinnable_action (2 findings)

• .github/actions/daily-perf-improver/build-steps/action.yml:1:1
• .github/actions/daily-test-improver/coverage-steps/action.yml:1:1

pr_runs_on_self_hosted (1 finding)

• .github/workflows/smoke-copilot-arm.lock.yml:347 — runs-on: ubuntu-24.04-arm

---

Historical Trends

Metric	2026-02-21	2026-02-22	Delta
Workflows scanned	156	158	+2
Actionlint total	719	344	-375 (↓52%)
Actionlint shellcheck	452	322	-130
Actionlint expression	267	22	-245 (↓92%)
Zizmor findings	11	0	-11
Poutine findings	0	11	+11

Resolved Since Last Scan

• expression:pre_activation_undefined — 208 occurrences across 104 workflows → FULLY RESOLVED
• expression:matched_command_undefined — 37 occurrences across 37 workflows → FULLY RESOLVED
• shellcheck:SC2086 (unquoted variables) — 132 occurrences → FULLY RESOLVED

Regressions

• expression:precompute_undefined increased from 12 (1 workflow) to 22 (4 workflows): the issue spread to hourly-ci-cleaner, release, and issue-monster in addition to bot-detection.

Note on Zizmor/Poutine

The 11 poutine findings today are equivalent in content to the 11 zizmor findings reported on 2026-02-21 (same files: copilot-setup-steps, daily-copilot-token-report, smoke-copilot-arm, daily-perf-improver/build-steps, daily-test-improver/coverage-steps). Tool attribution appears to have shifted between scans; the underlying supply-chain posture is unchanged.

---

Recommendations

1. Immediate — Fix needs: dependencies in bot-detection.md, hourly-ci-cleaner.md, release.md, and issue-monster.md to resolve 22 actionlint expression errors. Use the Copilot fix prompt above.
2. Short-term — Consider replacing curl | bash install patterns in copilot-setup-steps.yml with pinned releases and checksum verification to address poutine unverified_script_exec findings.
3. Ongoing — SC2129 is a compiler-generated artifact; address at the template level rather than per-workflow.
4. Monitor — SC1003 is stable at 158 occurrences; single-quote escaping issues in --allow-domains argument strings across 23 workflows.

Next Steps

• Fix needs: declarations in the 4 affected workflows (expression errors)
• Evaluate checksum-verified install scripts for astral.sh/uv and install-gh-aw.sh
• Review smoke-copilot-arm self-hosted runner usage on PRs
• Investigate whether SC2129 can be resolved at the compiler template level

References:

• §22271961680 — Current workflow run
• §22251902773 — Previous scan (2026-02-21)

AI generated by Static Analysis Report

• expires on Mar 1, 2026, 6:34 AM UTC

[pelikhan]

/plan