[plan] Fix static analysis findings from January 2026 scan #9122
Description
Overview
This tracking issue covers the remediation of 45 issues identified in the comprehensive static analysis scan on January 6, 2026.
Source: Discussion #9119
Findings Summary
- Total Issues: 45
- Actionlint Errors: 27 (20 expression errors, 7 shellcheck warnings)
- Zizmor Security Warnings: 18 (16 template injection, 2 medium severity)
- Poutine Findings: 0
Priority Breakdown
🔴 Critical (20 issues)
Actionlint expression errors that will cause workflow runtime failures
🟡 High (16 issues)
Template injection vulnerabilities in workflows processing user input
🟠 Medium (2 issues)
- Excessive permissions in layout-spec-maintainer.lock.yml
- Credential persistence risk in release.lock.yml
🔵 Low (7 issues)
Shellcheck style improvements (SC2129)
Planned Sub-Issues
- Fix actionlint expression errors - Resolve undefined property references causing runtime failures
- Fix template injection vulnerabilities - Secure user input handling in workflows
- Fix medium severity security issues - Address excessive permissions and artifact credential risks
- Apply shellcheck improvements - Consolidate redirects for better performance
- Document secure workflow patterns - Create guidelines to prevent future issues
Success Criteria
- All 20 actionlint expression errors resolved
- All 16 template injection vulnerabilities mitigated
- 2 medium severity security issues fixed
- 7 shellcheck warnings addressed
- Security documentation updated
Timeline
- Week 1: Critical expression errors (sub-issue rejig docs #1)
- Week 2: Template injection fixes (sub-issue Add workflow: githubnext/agentics/weekly-research #2)
- Week 3: Security hardening (sub-issue Add workflow: githubnext/agentics/weekly-research #3)
- Week 4: Code quality improvements (sub-issues Add workflow: githubnext/agentics/weekly-research #4-5)
This issue tracks the remediation plan for findings in Discussion #9119
AI generated by Plan Command for discussion #9119