Canonical source: docs/release/github-project-production-backlog.md
Epic: Repository Governance, Review Automation, And OSS Housekeeping
- ID:
PROD-042
- Title:
Add workflow linting and agentic-action security scanning
- Type:
security
- Priority:
P1
- Scope:
active
- Area:
github-actions
- Description: Add CI checks that specifically protect GitHub Actions and any
future AI-agent workflows from configuration drift and unsafe trigger or
permission choices.
- Acceptance criteria:
- workflow linting runs in CI for every workflow change
- workflow security scanning covers dangerous triggers, excessive
permissions, unpinned actions, and unsafe agent-tool settings
- CI fails when new workflow files violate the policy
- Dependencies:
PROD-041
- Source docs:
production-readiness-audit-2026-03-29.md,
external benchmarks: milady/.github/actionlint.yaml,
HyperscapeAI/hyperscape/.github/workflows/security.yml
- Suggested owner:
security
- Blocker class:
quality-blocking
Canonical source:
docs/release/github-project-production-backlog.mdEpic: Repository Governance, Review Automation, And OSS Housekeeping
PROD-042Add workflow linting and agentic-action security scanningsecurityP1activegithub-actionsfuture AI-agent workflows from configuration drift and unsafe trigger or
permission choices.
permissions, unpinned actions, and unsafe agent-tool settings
PROD-041production-readiness-audit-2026-03-29.md,external benchmarks:
milady/.github/actionlint.yaml,HyperscapeAI/hyperscape/.github/workflows/security.ymlsecurityquality-blocking