You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Jobs declare toolsets needing a permissions: scope absent from frontmatter (e.g. designer-drift-audit missing pull-requests: read). Findings are in generated .lock.yml; fix the source .md then recompile.
Prompt to Copilot Agent:
Fix actionlint "permissions" errors in gh-aw workflows. A job uses a GitHub toolset/action requiring a token scope (e.g. pull-requests: read) not declared in the source .md frontmatter. For each flagged workflow: open .github/workflows/<name>.md, read the missing-permission message, add the scope under permissions: (or drop the unused toolset), then run gh aw compile.
Before: permissions: {contents: read} + toolset [pull_requests].
After: add pull-requests: read # required by pull_requests.
Start with designer-drift-audit.
Runner-Guard Analysis
316 findings (305 High, 11 Med). High findings cluster into RGS-004/012/018 over the same files as 2026-06-10/11; no new rule+file combos. Every High rule+file maps to an already‐closed static-analysis issue (verified via GitHub search):
Per dedup policy (closed rule+file ⇒ skip), 0 new issues, 0 comments. No matching open finding issues exist to comment on; only open static-analysis issue is yesterday's report #38525.
Historical Trends
Previous 2026-06-11: 1926 → This 2026-06-12: 1931 (+5, +0.3%).
Tool
06-11
06-12
Δ
zizmor
537
539
+2
poutine
24
24
0
actionlint
1049
1052
+3
runner-guard
316
316
0
New issue types: none. Resolved: none. The +5 delta is lock-file churn from one extra workflow scanned (245→246).
Recommendations
Immediate: None blocking; High RG findings are reviewed/closed. Confirm zizmor github-env in dev-hawk.
Short-term: Fix the 117 actionlint permissions errors in source .md (start: designer-drift-audit).
Long-term: Allowlist recurring RGS-004 / template-injection noise on generated lock files so new findings stand out (3+ days of identical closed-issue churn).
🔍 Static Analysis Report - 2026-06-12
Analysis Summary
Clustered Findings
Zizmor
dev-hawk.lock.yml:1718dependabot-repair.lock.yml:380daily-geo-optimizer.lock.yml:1518smoke-codex.lock.yml:2208Poutine
Actionlint
Runner-Guard
azure/login@v2)Top Priority
Check team membershipstep, so likely false positives. Closed previously in bulk [static-analysis] RGS-004: Comment-Triggered Workflow Without Author Authorization Check in 16 workflows #29694.github-env(High) —dev-hawk.lock.yml:1718, dangerous$GITHUB_ENVuse. Confirm value is not attacker-controlled.untrusted_checkout_exec(error, 12) — dependabot-worker / smoke-workflow-call: verify trusted-only execution.Fix Suggestion — actionlint
permissions(117)Jobs declare toolsets needing a
permissions:scope absent from frontmatter (e.g.designer-drift-auditmissingpull-requests: read). Findings are in generated.lock.yml; fix the source.mdthen recompile.Prompt to Copilot Agent:
Runner-Guard Analysis
316 findings (305 High, 11 Med). High findings cluster into RGS-004/012/018 over the same files as 2026-06-10/11; no new rule+file combos. Every High rule+file maps to an already‐closed static-analysis issue (verified via GitHub search):
Per dedup policy (closed rule+file ⇒ skip), 0 new issues, 0 comments. No matching open finding issues exist to comment on; only open static-analysis issue is yesterday's report #38525.
Historical Trends
Previous 2026-06-11: 1926 → This 2026-06-12: 1931 (+5, +0.3%).
New issue types: none. Resolved: none. The +5 delta is lock-file churn from one extra workflow scanned (245→246).
Recommendations
github-envin dev-hawk.permissionserrors in source.md(start:designer-drift-audit).azure/login@v2(RGS-007); review poutineuntrusted_checkout_exec.References: §27398233353 · prior report #38525