Static Analysis Report - 2026-02-23

[github-actions[bot]]

Analysis Summary

Daily static analysis scan of 158 agentic workflows using zizmor, poutine, and actionlint. Today's scan shows a significant improvement of 54.4% fewer actionlint issues vs. yesterday, with all expression errors fully resolved.

• Tools Used: zizmor, poutine, actionlint 1.7.11
• Total Actionlint Findings: 157 (down from 344 yesterday, -54.4%)
• Total Poutine Findings: 9 (down from 11 yesterday, -18%)
• Total Zizmor Findings: 0 (clean — 3rd consecutive clean scan)
• Workflows Scanned: 158
• Workflows with Actionlint Issues: 23 (down from 151+ yesterday)

Findings by Tool

Tool	Total	Critical	High	Medium	Warning	Info
zizmor (security)	0	0	0	0	0	0
poutine (supply chain)	9	0	0	0	1	8
actionlint (linting)	157	—	—	—	0	157

---

Clustered Findings by Tool and Type

Actionlint Linting Issues

Issue Type	Count	Affected Workflows
SC1003 (single quote escaping)	156	23 workflows
SC2295 (expansion quoting in \$\{..})	1	ci-doctor

All 157 actionlint issues are shellcheck-originated and classified as info severity. The dominant pattern (SC1003) originates from awf commands using single-quoted domain lists in compiled .lock.yml files.

Poutine Supply Chain Findings

Issue Type	Severity	Count	Affected Files
github_action_from_unverified_creator_used	info	4	4 locations
unverified_script_exec	info	2	copilot-setup-steps.yml, daily-copilot-token-report
unpinnable_action	info	2	daily-perf-improver, daily-test-improver
pr_runs_on_self_hosted	warning	1	smoke-copilot-arm

Zizmor Security Findings

No findings. Zizmor scanned all 158 files and found zero security issues.

---

Top Priority Issues

1. SC1003 — Single Quote Escaping in awf Domain Lists

• Tool: actionlint (shellcheck)
• Count: 156 occurrences across 23 workflows
• Severity: info
• Affected Workflows: copilot-cli-deep-research, daily-compiler-quality, daily-doc-updater, daily-file-diet, daily-mcp-concurrency-analysis, daily-syntax-error-quality, daily-testify-uber-super-expert, delight, developer-docs-consolidator, discussion-task-miner, glossary-maintainer, go-fan, go-logger, instructions-janitor, layout-spec-maintainer, semantic-function-refactor, sergo, step-name-alignment, typist, ubuntu-image-analyzer, unbloat-docs, workflow-skill-extractor, ci-doctor
• Description: awf command lines use single-quoted domain lists (e.g., '*.githubusercontent.com,...'). ShellCheck SC1003 warns about patterns inside single-quoted strings.
• Impact: Low (info-level). Does not affect runtime behavior, but produces noise in static analysis output.
• Reference: https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-shellcheck-integ

2. pr_runs_on_self_hosted — PR Running on Self-Hosted Runner

• Tool: poutine
• Count: 1
• Severity: warning
• Affected: smoke-copilot-arm.lock.yml:278 — runs-on: ubuntu-24.04-arm
• Description: A pull request workflow runs on a self-hosted runner. Self-hosted runners with PRs from forks are a supply chain risk — untrusted code runs in a privileged environment.
• Impact: Medium. If PRs from external forks trigger this workflow, the self-hosted runner environment may be compromised.

3. unverified_script_exec — curl-pipe-bash Without Integrity Check

• Tool: poutine
• Count: 2
• Severity: info
• Affected:
  • .github/workflows/copilot-setup-steps.yml:17
  • .github/workflows/daily-copilot-token-report.lock.yml:302
• Description: Both run curl -fsSL https://raw.githubusercontent.com/.../install-gh-aw.sh | bash without a checksum or signature verification.
• Impact: If the script at the URL is tampered with (compromised repo or CDN), the runner executes malicious code.

---

Fix Suggestion for SC1003 (Most Common Issue)

Issue: Single-quote escaping in shell scripts with awf domain lists
Severity: info
Affected Workflows: 23 workflows (156 occurrences)

Prompt to Copilot Agent:

You are fixing a code quality issue identified by shellcheck (SC1003) in GitHub Actions workflow files.

**Vulnerability**: SC1003 - ShellCheck Single Quote Escaping
**Rule reference**: https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-shellcheck-integ

**Current Issue**:
Shell scripts in compiled workflow .lock.yml files contain `awf` commands with single-quoted domain
lists. ShellCheck SC1003 fires because it detects patterns within single-quoted strings.

**Example problematic pattern** in .md source workflow:
```yaml
run: |
  sudo -E awf --allow-domains '*.githubusercontent.com,api.github.com,...' \
    --other-flags

Required Fix:
Replace single-quoted domain lists with double-quoted strings. Wildcards in domain names are not
shell glob patterns when passed as command arguments, so double-quoting is correct:

run: |
  sudo -E awf --allow-domains "*.githubusercontent.com,api.github.com,..." \
    --other-flags

IMPORTANT: Fix the .md source files, NOT the .lock.yml compiled files.
After fixing, recompile with: gh aw compile

Affected source files to fix:
.github/workflows/copilot-cli-deep-research.md
.github/workflows/daily-compiler-quality.md
.github/workflows/daily-doc-updater.md
.github/workflows/daily-file-diet.md
.github/workflows/daily-mcp-concurrency-analysis.md
.github/workflows/daily-syntax-error-quality.md
.github/workflows/daily-testify-uber-super-expert.md
.github/workflows/delight.md
.github/workflows/developer-docs-consolidator.md
.github/workflows/discussion-task-miner.md
.github/workflows/glossary-maintainer.md
.github/workflows/go-fan.md
.github/workflows/go-logger.md
.github/workflows/instructions-janitor.md
.github/workflows/layout-spec-maintainer.md
.github/workflows/semantic-function-refactor.md
.github/workflows/sergo.md
.github/workflows/step-name-alignment.md
.github/workflows/typist.md
.github/workflows/ubuntu-image-analyzer.md
.github/workflows/unbloat-docs.md
.github/workflows/workflow-skill-extractor.md
.github/workflows/ci-doctor.md

---

### All Findings Details

<details>
<summary><b>Actionlint SC1003 — Affected Workflows (23 files)</b></summary>

All SC1003 errors occur in `run:` steps that call the `awf` binary with `--allow-domains` using single-quoted domain lists.

| Workflow | Occurrences |
|----------|-------------|
| ci-doctor | 1 (SC2295 also present) |
| copilot-cli-deep-research | 4 |
| daily-compiler-quality | 8 |
| daily-doc-updater | 8 |
| daily-file-diet | 8 |
| daily-mcp-concurrency-analysis | 4 |
| daily-syntax-error-quality | ~6 |
| daily-testify-uber-super-expert | ~6 |
| delight | ~6 |
| developer-docs-consolidator | ~6 |
| discussion-task-miner | ~6 |
| glossary-maintainer | ~6 |
| go-fan | ~6 |
| go-logger | ~10 |
| instructions-janitor | ~6 |
| layout-spec-maintainer | ~6 |
| semantic-function-refactor | ~12 |
| sergo | ~6 |
| step-name-alignment | ~6 |
| typist | ~20 |
| ubuntu-image-analyzer | ~6 |
| unbloat-docs | ~6 |
| workflow-skill-extractor | ~6 |

</details>

<details>
<summary><b>Poutine Findings — Detail</b></summary>

#### `unverified_script_exec` (info)
Both flagged files execute:
```bash
curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash

Fix: Download the script first, verify its SHA256 checksum, then execute:

curl -fsSL https://raw.githubusercontent.com/.../install-gh-aw.sh -o /tmp/install.sh
echo "EXPECTED_SHA256  /tmp/install.sh" | sha256sum -c
bash /tmp/install.sh

unpinnable_action (info)

Composite actions in:

• .github/actions/daily-perf-improver/build-steps/action.yml
• .github/actions/daily-test-improver/coverage-steps/action.yml

These local composite actions cannot be pinned to a SHA. This is an inherent limitation of composite actions within the same repository.

pr_runs_on_self_hosted (warning)

• smoke-copilot-arm.lock.yml:278: runs-on: ubuntu-24.04-arm

If this workflow is triggered by external fork PRs, consider using GitHub-hosted runners or adding if: github.event.pull_request.head.repo.full_name == github.repository to restrict to internal PRs only.

github_action_from_unverified_creator_used (info)

4 actions from creators without verified status on the GitHub Marketplace. Consider auditing these actions and potentially migrating to verified alternatives.

Compiler Warnings (25 total — unchanged)

Warning Type	Count
Experimental feature: safe-inputs	6
Unresolvable action version (hardcoded pin used)	7
Experimental feature: rate-limit	3
Copilot engine web-search unsupported	2
Missing permissions warning	1
Other	6

These 25 compiler warnings are unchanged from previous scans and are informational notices about experimental features in use.

---

Historical Trends

Date	Actionlint	Expression Errors	Shellcheck	Zizmor	Poutine	Delta
2026-02-21	719	267	452	11	0	—
2026-02-22	344	22	322	0	11	-375 (-52%)
2026-02-23	157	0	157	0	9	-187 (-54%)

3-day trajectory: 719 → 344 → 157 — an 78% total reduction in actionlint issues since 2026-02-21.

Resolved Since Yesterday

• expression:precompute_undefined — 22 occurrences in 4 workflows — FULLY RESOLVED
• expression:check_ci_status_undefined — 6 occurrences in hourly-ci-cleaner — FULLY RESOLVED
• shellcheck:SC2129 — 164 occurrences in 151 workflows — FULLY RESOLVED

New Since Yesterday

• shellcheck:SC2295 — 1 occurrence in ci-doctor.lock.yml:305 (low severity, expansion quoting)

Recurring Issues

• shellcheck:SC1003 — stable at 156-158 across all scans (awf domain list quoting pattern)
• poutine:unverified_script_exec — improved from 4 to 2 occurrences

---

Recommendations

1. Low priority: Address SC1003 (156 occurrences) by switching awf --allow-domains argument quoting from single to double quotes in .md source files. This is a style issue with no functional impact.
2. Medium priority: Review the pr_runs_on_self_hosted finding in smoke-copilot-arm. Ensure this workflow is not triggered by external fork PRs, or add a condition to restrict it to internal PRs.
3. Medium priority: Add script integrity verification to the two remaining curl | bash patterns in copilot-setup-steps.yml and daily-copilot-token-report.
4. Low priority: Review 4 github_action_from_unverified_creator_used instances — assess whether these actions require migration to verified alternatives.
5. Ongoing: Continue monitoring the SC1003 trend — it has been stable for 3 days, indicating a systemic template pattern that warrants a one-time fix rather than per-workflow patches.

Next Steps

• Apply single-quote → double-quote fix to awf --allow-domains in 23 .md source workflows
• Evaluate PR trigger conditions for smoke-copilot-arm (self-hosted runner risk)
• Add checksum verification to install-gh-aw.sh curl-pipe-bash pattern
• Audit 4 unverified creator actions for supply chain risk
• SC2295 in ci-doctor: quote the expansion inside \$\{..} at ci-doctor.lock.yml:305

References:

• §22295520493
• §22271961680 (previous scan, 2026-02-22)
• §22251902773 (2026-02-21 baseline)

AI generated by Static Analysis Report

• expires on Feb 24, 2026, 6:44 AM UTC

[github-actions[bot]]

🤖 Beep boop! The smoke test agent has materialized from the digital ether!

I've completed my rounds: tested GitHub MCP, fetched PRs, built binaries, and even wrote a haiku (coming soon 🎵).

The machines are happy, the code compiles, and all green lights are blinking. I shall return to the shadows from whence I came... until the next smoke test. 👻

📰 BREAKING: Report filed by Smoke Copilot

[github-actions[bot]]

💥 KAPOW! The smoke test agent was here! 🦸

WHOOSH — Faster than a speeding workflow run, more powerful than a merge conflict...

The Claude Smoke Test Agent swooped in at 2026-02-23T07:03Z to verify all systems are GO!

ZAP! 🔥 Tests firing. BOOM! 💥 Results incoming. POW! 🚀 All checks nominal!

"With great automation comes great responsibility." — Uncle CI/CD

💥 [THE END] — Illustrated by Smoke Claude

[pelikhan]

/plan

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-24T06:44:42.659Z.

Closed by Workflow