Static Analysis Report - 2026-02-20

[github-actions[bot]]

Analysis Summary

Daily static analysis scan of all agentic workflow files using zizmor, poutine, and actionlint. All 153 workflows compiled successfully with zero structural failures. However, actionlint identified 719 issues across the entire workflow fleet, predominantly false-positive-style linting findings in compiled .lock.yml artifacts.

• Tools Used: zizmor, poutine, actionlint (v1.7.11, with shellcheck & pyflakes)
• Total Findings: 727 (719 actionlint + 8 zizmor + 0 poutine)
• Workflows Scanned: 153
• Workflows Affected: 153 (actionlint), 3 (zizmor)
• Compilation Failures: 0

Findings by Tool

Tool	Total	Critical	High	Medium	Low / Info
zizmor (security)	8	0	0	0	8
poutine (supply chain)	0	0	0	0	0
actionlint (linting)	719	—	—	—	719

---

Clustered Findings by Tool and Type

Actionlint Linting Issues (719 total)

Category breakdown:

Category	Count
shellcheck	455
expression	264

Shellcheck Findings:

Rule	Severity	Count	Description
SC2129	style	167	Consider using { cmd1; cmd2; } >> file instead of individual redirects
SC1003	info	158	Single-quote escaping issue in shell scripts
SC2086	info	130	Double-quote variables to prevent globbing and word splitting

Expression Findings (undefined properties):

Undefined Property	Count	Description
pre_activation	208	Job exists in some workflows but outputs schema doesn't declare all referenced properties
matched_command	34	matched_command output not declared in pre_activation job outputs schema
precompute	12	precompute job not in scope for the referencing step
check_ci_status	6	check_ci_status job outputs not in scope
release	3	release job outputs not in scope
output	1	Property output not defined

Zizmor Security Findings (8 total — all info severity)

Issue Type	Severity	Count	Affected Files
unverified_script_exec	info	4	copilot-setup-steps.yml, daily-copilot-token-report.lock.yml
github_action_from_unverified_creator_used	info	4	Various workflows
unpinnable_action	info	2	daily-perf-improver/build-steps/action.yml, daily-test-improver/coverage-steps/action.yml

Poutine Supply Chain Findings

No findings. Poutine scan completed clean.

---

Top Priority Issues

1. Expression: pre_activation / matched_command undefined outputs (242 total)

• Tool: actionlint
• Count: 208 (pre_activation) + 34 (matched_command) = 242 occurrences
• Severity: Error (actionlint classification)
• Affected: All 153 compiled lock.yml workflows
• Description: Workflows reference needs.pre_activation.outputs.activated and needs.pre_activation.outputs.matched_command in env blocks, but the pre_activation job's outputs: schema only declares activated, not matched_command. In some workflows, the pre_activation job doesn't exist at all (the job is named activation instead), causing actionlint to flag all references as undefined.
• Impact: These are false positives at runtime — the env vars default to empty strings safely. However, they indicate a systemic inconsistency in how the compiler emits pre_activation job output references across different workflow patterns.
• Reference: https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-syntax-expression

2. SC2129 — Individual redirects instead of grouped redirect (167 occurrences)

• Tool: actionlint (shellcheck)
• Count: 167 occurrences across all workflows
• Severity: Style
• Affected: All 153 workflows (in create_prompt_first.sh invocation blocks)
• Description: Shell scripts use multiple individual >> file redirects instead of grouping them with { cmd1; cmd2; } >> file.
• Impact: Minor performance/style concern. Generated consistently by the compiler template.
• Reference: https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-shellcheck-integ

3. SC1003 — Single-quote escaping (158 occurrences)

• Tool: actionlint (shellcheck)
• Count: 158 occurrences
• Severity: Info
• Description: Unescaped apostrophes inside single-quoted strings in generated shell script blocks.

4. SC2086 — Unquoted variables (130 occurrences)

• Tool: actionlint (shellcheck)
• Count: 130 occurrences
• Affected Files: Workflows using cache-memory check scripts
• Description: $GITHUB_OUTPUT referenced without double quotes in echo "has_content=true" >> $GITHUB_OUTPUT.
• Impact: Minimal risk in practice (the variable is set by GitHub Actions runner and won't contain spaces), but flagged as a style issue.

5. Zizmor: unverified_script_exec — curl | bash patterns (4 occurrences)

• Tool: zizmor
• Count: 4 occurrences
• Severity: Info
• Affected: copilot-setup-steps.yml, daily-copilot-token-report.lock.yml
• Description: Workflows use curl | sh or curl | bash patterns which download and execute scripts from the internet without verifying integrity. This is a supply chain risk.
• Impact: If the remote script is compromised, arbitrary code executes in the runner. Should be replaced with verified download + hash check + execute pattern.
• Reference: (woodruffw.github.io/redacted)

---

Fix Suggestion for pre_activation Undefined Outputs (Highest Count)

Issue: Expression errors — matched_command not declared in pre_activation outputs schema
Severity: Error (actionlint)
Affected: 242 occurrences across all compiled workflows

Prompt to Copilot Agent:

You are fixing a systemic linting issue identified by actionlint in compiled GitHub Actions workflow files (.lock.yml).

**Vulnerability**: Missing output declaration in `pre_activation` job schema
**Rule**: actionlint [expression] - property not defined in object type
**Reference**: https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-syntax-expression

**Current Issue**:
The `pre_activation` job declares only `activated` in its `outputs:` block, but downstream jobs reference both `needs.pre_activation.outputs.activated` AND `needs.pre_activation.outputs.matched_command`. Actionlint correctly flags `matched_command` as undefined in the output schema.

Additionally, some workflows use an `activation` job (not `pre_activation`) but still reference `needs.pre_activation.outputs.*`, causing actionlint to report the entire `pre_activation` key as undefined.

**Required Fix**:
In the compiler/template that generates `.lock.yml` files:

1. When a `pre_activation` job is included, ensure ALL outputs that downstream jobs may reference are declared in the job's `outputs:` block.
2. Add `matched_command` to the `pre_activation` job outputs declaration.

**Example**:

Before:
```yaml
  pre_activation:
    runs-on: ubuntu-slim
    outputs:
      activated: $\{\{ steps.check_membership.outputs.is_team_member == 'true' }}
    steps:
      ...
```

After:
```yaml
  pre_activation:
    runs-on: ubuntu-slim
    outputs:
      activated: $\{\{ steps.check_membership.outputs.is_team_member == 'true' }}
      matched_command: $\{\{ steps.check_activation.outputs.matched_command || '' }}
    steps:
      ...
```

3. For workflows where the job is named `activation` (not `pre_activation`), either:
   - Rename `activation` to `pre_activation` for consistency, OR
   - Update all downstream `needs.pre_activation.outputs.*` references to `needs.activation.outputs.*`

The source of truth is the `.md` workflow files and the compiler template in the `actions/` directory. Fix the template rather than patching individual `.lock.yml` files, since those are generated artifacts.

---

Compiler Warnings (24 total)

View Compiler-Level Warnings

Warning Type	Count	Details
Fixed schedule time	8	Workflows use fixed cron times; fuzzy scheduling recommended to avoid thundering herd
Experimental features	7	Workflows use rate-limit or safe-inputs experimental features
Unresolved action versions	7	Dynamic version resolution failed; hardcoded pins used as fallback
Unsupported tools	2	copilot engine doesn't support web-search tool
Permission warnings	1	example-permissions-warning.md missing contents: write, issues: write, pull-requests: write

Unresolved actions that used hardcoded pins:

• actions/github-script@v7 → pinned to v7.1.0
• actions/setup-node@v6 → pinned to v6.2.0
• actions/setup-go@v6 → pinned to v6.2.0
• actions/setup-go@v5 → pinned to v5.6.0
• actions/checkout@v6 → pinned to v6.0.2
• docker/setup-buildx-action@v3 → pinned to v3.12.0
• docker/build-push-action@v6 → pinned to v6.19.2
• anchore/sbom-action@v0 → pinned to v0.22.2
• docker/login-action@v3 → pinned to v3.7.0
• docker/metadata-action@v5 → pinned to v5.10.0

---

Historical Trends

This is the first scan — establishing baseline metrics.

Metric	2026-02-20 (Baseline)
Workflows scanned	153
Actionlint issues	719
Zizmor findings	8
Poutine findings	0

Future scans will compare against this baseline to track regression or improvement.

---

Recommendations

1. Immediate: Investigate the pre_activation job output schema gap in the workflow compiler template. Adding matched_command to the declared outputs would eliminate 242 expression errors across all workflows.

2. Short-term: Address unverified_script_exec zizmor findings in copilot-setup-steps.yml and daily-copilot-token-report by replacing curl | bash with a verified download pattern (download → checksum verify → execute).

3. Short-term: Fix SC2086 (unquoted $GITHUB_OUTPUT) in the cache-memory check script template — quote the variable: echo "has_content=true" >> "$GITHUB_OUTPUT".

4. Long-term: The SC2129 and SC1003 shellcheck findings are generated by compiler templates. Updating the shell script generation in the compiler would fix all 325 occurrences simultaneously.

5. Prevention: All three tools (zizmor, poutine, actionlint) are already integrated into the CI pipeline. Consider creating a tracked issue for the pre_activation output schema fix to reduce the actionlint error count from 719 toward 0 over time.

Next Steps

• Fix pre_activation job outputs schema to include matched_command in compiler template
• Review and fix curl | bash patterns in setup scripts (zizmor unverified_script_exec)
• Quote $GITHUB_OUTPUT in cache-memory check scripts (SC2086)
• Track actionlint count as a metric in future scans to measure progress
• Update this report weekly via the static-analysis-report workflow

References:

• §22213980182

AI generated by Static Analysis Report

• expires on Feb 27, 2026, 6:37 AM UTC