Objective
Fix the Medium-severity artipacked findings in copilot-token-audit and copilot-token-optimizer workflows. These workflows check out code and create artifacts while secrets are accessible, risking credential persistence via artifacts.
Context
The artipacked finding from zizmor means a workflow both checks out code AND uploads artifacts in a context where GitHub tokens or other secrets are present. This risks accidentally persisting credentials into artifacts that could be downloaded.
Reference: Static Analysis Report - 2026-04-11
copilot-token-audit.lock.yml line 368copilot-token-optimizer.lock.yml line 351
Approach
- Open
.github/workflows/copilot-token-audit.md and .github/workflows/copilot-token-optimizer.md
- For each workflow, identify:
- The
actions/checkout step (or equivalent)
- The artifact upload step
- Any secrets/tokens used in the same job
- Apply one of these fixes:
- Option A: Separate the checkout/secret-using work from artifact uploading into different jobs with minimal permissions
- Option B: Exclude sensitive paths from artifact uploads (e.g.,
.git/ directory, credential files)
- Option C: If the checkout is not needed in the same job as secrets, move it to a separate job
- Run
make recompile to regenerate lock files
- Run
make agent-finish to validate
Steps
- Examine
copilot-token-audit.md around the step at lock line 368
- Examine
copilot-token-optimizer.md around the step at lock line 351
- Determine the appropriate fix for each based on the workflow's structure
- Apply the fix in the
.md source files
- Recompile and validate
Acceptance Criteria
Generated by Plan Command for issue #25835 · ● 199.3K · ◷
Objective
Fix the Medium-severity
artipackedfindings incopilot-token-auditandcopilot-token-optimizerworkflows. These workflows check out code and create artifacts while secrets are accessible, risking credential persistence via artifacts.Context
The
artipackedfinding from zizmor means a workflow both checks out code AND uploads artifacts in a context where GitHub tokens or other secrets are present. This risks accidentally persisting credentials into artifacts that could be downloaded.Reference: Static Analysis Report - 2026-04-11
copilot-token-audit.lock.ymlline 368copilot-token-optimizer.lock.ymlline 351Approach
.github/workflows/copilot-token-audit.mdand.github/workflows/copilot-token-optimizer.mdactions/checkoutstep (or equivalent).git/directory, credential files)make recompileto regenerate lock filesmake agent-finishto validateSteps
copilot-token-audit.mdaround the step at lock line 368copilot-token-optimizer.mdaround the step at lock line 351.mdsource filesAcceptance Criteria
artipackedfindings resolved in both workflows.gitdirectories included in artifactsmake recompilecompletes without errorsmake agent-finishpassesRelated to [static-analysis] Static Analysis Report - 2026-04-11 #25835