[Code Quality] Address zizmor security findings across all workflows

## Description

Static analysis using zizmor (security scanner) identified security vulnerabilities in agentic workflows. With 346 total findings across 147 workflows, addressing security issues systematically will improve overall workflow security posture.

## Suggested Changes

### Phase 1: Triage zizmor security findings (0.5 days)
1. Run zizmor on all workflows and collect security findings
2. Categorize by severity: Critical, High, Medium, Low
3. Group by vulnerability type:
   - Injection vulnerabilities
   - Insecure practices
   - Missing security controls
   - Dangerous permissions
4. Prioritize Critical and High severity issues

### Phase 2: Fix high-severity issues (1.5 days)
For each high-severity vulnerability type:
- Create fix pattern or codemod
- Apply to affected workflows
- Add validation rules to prevent recurrence
- Document security best practices

### Phase 3: Address medium/low severity (1 day)
- Fix remaining issues systematically
- Update security documentation
- Add pre-commit checks where applicable

## Expected Vulnerability Types

Common zizmor findings:
- Expression injection in workflow triggers
- Untrusted input used in dangerous contexts
- Overly permissive GitHub token permissions
- Secrets exposure risks
- Insecure artifact handling

## Files Affected

- All 147 workflow files in `.github/workflows/*.md`
- Security validation in `pkg/workflow/*_validation.go`
- Possible new security checks in validation layer
- Documentation updates in `docs/` and `scratchpad/`

## Success Criteria

- [ ] All zizmor findings categorized by severity and type
- [ ] Critical and High severity issues fixed (0 remaining)
- [ ] Medium severity reduced by 80%+
- [ ] Security validation rules added to prevent recurrence
- [ ] Security best practices documented
- [ ] No CI regressions introduced
- [ ] All tests passing after fixes

## Source

Extracted from [Static Analysis Report discussion #14235](https://github.com/github/gh-aw/discussions/14235)

**Context from report**:
- Security scanner: zizmor
- Total findings: 346
- Workflows affected: 147 (100%)
- Related: Issue #14231 addresses poutine supply chain findings

## Priority

**High** - Security vulnerabilities affect all workflows and should be addressed systematically to reduce attack surface.







> AI generated by [Discussion Task Miner - Code Quality Improvement Agent](https://github.com/github/gh-aw/actions/runs/21771638746)
> - [x] expires  on Feb 8, 2026, 1:29 AM UTC

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Code Quality] Address zizmor security findings across all workflows #14250

Description

Suggested Changes

Phase 1: Triage zizmor security findings (0.5 days)

Phase 2: Fix high-severity issues (1.5 days)

Phase 3: Address medium/low severity (1 day)

Expected Vulnerability Types

Files Affected

Success Criteria

Source

Priority

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Code Quality] Address zizmor security findings across all workflows #14250

Description

Description

Suggested Changes

Phase 1: Triage zizmor security findings (0.5 days)

Phase 2: Fix high-severity issues (1.5 days)

Phase 3: Address medium/low severity (1 day)

Expected Vulnerability Types

Files Affected

Success Criteria

Source

Priority

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions