[plan] Fix static analysis findings from January 2026 scan

[github-actions]

Overview

This tracking issue covers the remediation of 45 issues identified in the comprehensive static analysis scan on January 6, 2026.

Source: Discussion #9119

Findings Summary

• Total Issues: 45
• Actionlint Errors: 27 (20 expression errors, 7 shellcheck warnings)
• Zizmor Security Warnings: 18 (16 template injection, 2 medium severity)
• Poutine Findings: 0

Priority Breakdown

🔴 Critical (20 issues)

Actionlint expression errors that will cause workflow runtime failures

🟡 High (16 issues)

Template injection vulnerabilities in workflows processing user input

🟠 Medium (2 issues)

• Excessive permissions in layout-spec-maintainer.lock.yml
• Credential persistence risk in release.lock.yml

🔵 Low (7 issues)

Shellcheck style improvements (SC2129)

Planned Sub-Issues

1. Fix actionlint expression errors - Resolve undefined property references causing runtime failures
2. Fix template injection vulnerabilities - Secure user input handling in workflows
3. Fix medium severity security issues - Address excessive permissions and artifact credential risks
4. Apply shellcheck improvements - Consolidate redirects for better performance
5. Document secure workflow patterns - Create guidelines to prevent future issues

Success Criteria

• All 20 actionlint expression errors resolved
• All 16 template injection vulnerabilities mitigated
• 2 medium severity security issues fixed
• 7 shellcheck warnings addressed
• Security documentation updated

Timeline

• Week 1: Critical expression errors (sub-issue rejig docs #1)
• Week 2: Template injection fixes (sub-issue Add workflow: githubnext/agentics/weekly-research #2)
• Week 3: Security hardening (sub-issue Add workflow: githubnext/agentics/weekly-research #3)
• Week 4: Code quality improvements (sub-issues Add workflow: githubnext/agentics/weekly-research #4-5)

---

This issue tracks the remediation plan for findings in Discussion #9119

AI generated by Plan Command for discussion #9119