You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Posture: stable. 947 vs 948 yesterday (−1). No new rule classes. Every high-severity runner-guard finding maps to a rule class already triaged & closed in prior runs (see below).
Clustered Findings
Zizmor (all Informational/Low, no High/Med/Crit — artifacts of generated lock files):
Per #31043 ("RGS-* issues recreated daily after closure") — the maintainer guidance this workflow's dedup implements — refiling an identical rule ID under only a different filename is the duplicate anti-pattern. No matching issue is currently open, so nothing is refiled. Medium findings are below the create-issue threshold.
Top Actionable Issue — skillet.lock.yml actionlint expression error
Lines 1385/1411/1882: needs.pre_activation.* referenced but pre_activation is not a member of needs (valid: activation, agent, detection, safe_outputs).
Impact: reference to a non-existent job output evaluates empty at runtime → can silently disable a gate. This is a real source defect, unlike the taint FPs. Fix: correct the renamed/removed job reference in skillet.md source and recompile.
Fix Suggestion — actionlint SC2016 (most common lint, 21×)
Issue: SC2016: Expressions don't expand in single quotes — a $VAR/${...} token sits inside single quotes where expansion was likely intended. Fix in the source .md/generator, never the .lock.yml.
Prompt to Copilot Agent:
Fix a shellcheck SC2016 finding in a gh-aw generated workflow. Edit the SOURCE .md
(or the generator step emitting the snippet), not the .lock.yml.
Rule SC2016: https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-shellcheck-integ
A run: block has `$X`/`${X}` inside SINGLE quotes, so it is emitted literally instead of
expanding. Choose per intent:
1. Value should expand -> change the surrounding quotes to double quotes.
2. Literal $... intended (jq/awk program, placeholder) -> keep single quotes and add
`# shellcheck disable=SC2016` on the line above to make intent explicit.
Before: run: echo 'total is $TOTAL'
After: run: echo "total is $TOTAL" # expansion intended
Or: run: |
# shellcheck disable=SC2016
jq '.data | $count' file.json # literal intended
Recompile with gh-aw and confirm SC2016 is gone for that line. Apply the correct variant
per script; do not blanket-convert quotes. Affected: ~21 lock files (agent-performance-analyzer,
ci-coach, pr-triage-agent, workflow-health-manager, daily-*, ...).
Historical Trends
Metric
2026-07-04
2026-07-05
Δ
zizmor
553
552
−1
poutine
22
22
0
actionlint
40
40
0
runner-guard
333
333
0
Total
948
947
−1
New issue types: none. Resolved: none. Flat ~4 days; actionlint dropped ~480→40 around 2026-07-02 (scan-scope/dedup change) and has held.
Recommendations & Next Steps
Immediate: Fix skillet.lock.ymlpre_activation undefined-property at its .md source — the only genuine correctness defect this run.
Short-term: Sweep the 21 SC2016 findings (fix prompt above); pin publish-safe-outputs-node.yml action to a SHA (RGS-007).
Long-term: Teach runner-guard (or add ignore fingerprints) about gh-aw's activation gate so RGS-004/005 stop dominating high counts; annotate installer/readiness run: blocks tripping RGS-012/018.
🔍 Static Analysis Report - 2026-07-05
Analysis Summary
Clustered Findings
Zizmor (all Informational/Low, no High/Med/Crit — artifacts of generated lock files):
Poutine:
smoke-workflow-call*.lock.yml(all# poutine:ignore, trusted generated scripts)safedep/pmg,super-linter,astral-sh/setup-uv,actions-ecosystem/action-add-labels,gaurav-nelson/...markdown-link-check(SHA-pinned)daily-byok-ollama-test,smoke-codex,copilot-setup-stepssmoke-copilot-arm.lock.ymlActionlint (30 workflows): shellcheck 37 (SC2016×21, SC2038×6, SC2086×5, SC2034×2, SC2188/SC2129/SC2005 ×1); expression 3 → all
skillet.lock.ymlneeds.pre_activationundefined.Runner-Guard (score/grade line not emitted this run):
q(122),dev-hawk(93),ai-moderator(90)daily-model-inventory(4),daily-byok-ollama-test(3),visual-regression-checker(2),docs-noob-tester,daily-multi-device-docs-testersmoke-codex,smoke-claude,daily-sentrux-report,daily-cli-performance,daily-byok-ollama-test,copilot-setup-steps.ymlai-moderator(4),q(3),agentic_commands.ymlwindows-cli-integration.yml,error-message-lint.ymlpublish-safe-outputs-node.ymlRunner-Guard Analysis & Dedup Decision
Issues created this run: none. All high-severity findings belong to rule classes already filed and closed previously:
activationgate (author-association/lockdown) that runner-guard doesn't model → systematic FP.daily-model-inventory[static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in daily-model-inventory.lock.yml #30776/[static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in daily-model-inventory #30079,docs-noob-tester[static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in docs-noob-tester #28488/[static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in docs-noob-tester, visual-regression-checker #29462,daily-multi-device-docs-tester[static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in daily-multi-device-docs-tester.lock.yml #33477,visual-regression-checker[static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in visual-regression-checker.lock.yml #30947. Flagged blocks are localhost readiness polls / tool installers.require(...), trufflehog/ollama installers — legitimate.Per #31043 ("RGS-* issues recreated daily after closure") — the maintainer guidance this workflow's dedup implements — refiling an identical rule ID under only a different filename is the duplicate anti-pattern. No matching issue is currently open, so nothing is refiled. Medium findings are below the create-issue threshold.
Top Actionable Issue —
skillet.lock.ymlactionlint expression errorneeds.pre_activation.*referenced butpre_activationis not a member ofneeds(valid:activation,agent,detection,safe_outputs).skillet.mdsource and recompile.Fix Suggestion — actionlint SC2016 (most common lint, 21×)
Issue:
SC2016: Expressions don't expand in single quotes— a$VAR/${...}token sits inside single quotes where expansion was likely intended. Fix in the source.md/generator, never the.lock.yml.Prompt to Copilot Agent:
Historical Trends
New issue types: none. Resolved: none. Flat ~4 days; actionlint dropped ~480→40 around 2026-07-02 (scan-scope/dedup change) and has held.
Recommendations & Next Steps
skillet.lock.ymlpre_activationundefined-property at its.mdsource — the only genuine correctness defect this run.publish-safe-outputs-node.ymlaction to a SHA (RGS-007).activationgate so RGS-004/005 stop dominating high counts; annotate installer/readinessrun:blocks tripping RGS-012/018.skillet.lock.ymlneeds.pre_activationin sourcepublish-safe-outputs-node.yml(RGS-007)error-message-lint.ymlReferences: §28731332447