[task] Add github-token secret validation

[github-actions]

Objective

Prevent accidental secret leakage by validating that github-token field uses GitHub Actions secret expressions, not plaintext values.

Context

Related to discussion #2457 (Schema Consistency Audit).

The schema allows any string for github-token, with no pattern validation. Users could accidentally commit secrets:

github-token: ghp_actualSecretInPlainText  # 😱 LEAKED!

Approach

Option A (Recommended): Add compile-time warning in pkg/workflow/github_token.go:

func validateGitHubToken(token string) error {
    // Check if token looks like a secret expression
    if !strings.Contains(token, "${{") || !strings.Contains(token, "secrets.") {
        return fmt.Errorf("github-token should use secret expression (e.g., ${{ secrets.GITHUB_TOKEN }}), not plaintext value")
    }
    return nil
}

Option B: Add schema pattern validation in pkg/parser/schemas/main_workflow_schema.json:

{
  "type": "string",
  "pattern": "^\\$\\{\\{.*secrets\\..*\\}\\}$",
  "description": "GitHub token expression using secrets",
  "examples": ["${{ secrets.GITHUB_TOKEN }}"]
}

Files to Modify

• Update: pkg/workflow/github_token.go (add validation function)
• Update: pkg/workflow/compiler.go (call validation during compilation)
• Update: pkg/parser/schemas/main_workflow_schema.json (add pattern if using Option B)
• Create: pkg/workflow/github_token_validation_test.go (test validation)

Acceptance Criteria

• Valid secret expressions pass validation: ${{ secrets.GITHUB_TOKEN }}
• Plaintext tokens trigger clear error/warning
• Error message suggests correct format
• Existing workflows with valid tokens continue to work
• Unit tests cover valid and invalid cases
  Related to [Schema Consistency] 🔍 Schema Consistency Check - Security & Type Safety Audit (2025-10-25) #2457

AI generated by Plan Command for discussion #2457

[pelikhan]

Option B.