From 8e348dce4cb73fc41f60340c4a70674e00924e3a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 3 Nov 2025 12:46:21 +0000 Subject: [PATCH] Update template documentation with security scanner flags This commit updates the GitHub Agentic Workflows instructions template to include: - Documentation for --zizmor and --poutine security scanner flags in compile command - New best practice recommendation to run security scanners on compiled workflows Changes synced from main .github/instructions file during template sync process. --- pkg/cli/templates/github-agentic-workflows.instructions.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/cli/templates/github-agentic-workflows.instructions.md b/pkg/cli/templates/github-agentic-workflows.instructions.md index 105e4330a9..261d1660d4 100644 --- a/pkg/cli/templates/github-agentic-workflows.instructions.md +++ b/pkg/cli/templates/github-agentic-workflows.instructions.md @@ -1097,6 +1097,9 @@ Agentic workflows compile to GitHub Actions YAML: - Example: `gh aw compile issue-triage` compiles `issue-triage.md` - Supports partial matching and fuzzy search for workflow names - **`gh aw compile --purge`** - Remove orphaned `.lock.yml` files that no longer have corresponding `.md` files +- **`gh aw compile --zizmor`** - Run zizmor security scanner on compiled workflows +- **`gh aw compile --poutine`** - Run poutine security scanner on compiled workflows +- **`gh aw compile --strict --zizmor`** - Strict mode with security scanning (fails on findings) ## Best Practices @@ -1114,6 +1117,7 @@ Agentic workflows compile to GitHub Actions YAML: 10. **Monitor costs with `gh aw logs`** to track AI model usage and expenses 11. **Use `--engine` filter** in logs command to analyze specific AI engine performance 12. **Prefer sanitized context text** - Use `${{ needs.activation.outputs.text }}` instead of raw `github.event` fields for security +13. **Run security scanners** - Use `--zizmor` or `--poutine` flags to scan compiled workflows for security issues ## Validation