[plan] Achieve 100% GitHub Actions security compliance

[github-actions]

Overview

This tracking issue covers the implementation of remaining security improvements identified in the static analysis report. The repository currently has an excellent 99.9% security compliance rate, and this plan will bring it to 100%.

Source: Discussion #7983 - Static Analysis Report (2025-12-28)

Current Status

The static analysis revealed:

• ✅ 99.9% action pinning rate (5,714/5,715 actions pinned)
• ✅ Zero write permissions at workflow level
• ✅ All third-party actions from trusted sources
• ⚠️ 1 action needs to be pinned to SHA

Planned Tasks

This work is broken down into 5 actionable sub-issues:

1. Identify and pin the remaining unpinned action - Achieve 100% action pinning compliance
2. Enable automated static analysis tools - Set up Docker environment for zizmor and poutine
3. Fix actionlint compilation issues - Debug and resolve actionlint integration
4. Document security practices - Create comprehensive security documentation
5. Establish automated security monitoring - Set up daily security scans

Success Criteria

• 100% action pinning compliance (5,715/5,715)
• Automated static analysis tools running in CI
• Security documentation published
• Daily security monitoring enabled

Timeline

Estimated completion: 1-2 weeks

• High priority items (1-2): 1-2 days
• Medium priority items (3-4): 3-5 days
• Low priority items (5): Ongoing

AI generated by Plan Command for discussion #7983