🔍 Static Analysis Report - November 10, 2025

[github-actions[bot]]

🔍 Static Analysis Report - November 10, 2025

Executive Summary

Today's static analysis scan identified 8 critical workflow compilation errors affecting 4 workflows that will cause runtime failures. These are genuine structural issues, not false positives. The primary issue is missing activation job dependencies in workflows that reference activation job outputs.

Key Findings:

• 8 high-severity actionlint errors across 4 workflows
• All errors are the same root cause: missing activation job in dependencies
• Affected workflows: q.md, daily-doc-updater.md, poem-bot.md, tidy.md
• Impact: Workflows will fail immediately when triggered

Comparison with Previous Scan:

• Previous scan (Nov 9): 953 findings (mostly false positives from markdown in heredocs)
• Current scan (Nov 10): 8 genuine high-severity errors
• Change: -945 findings, but discovered critical runtime errors

Analysis Summary

• Tools Used: actionlint (via gh-aw MCP server)
• Tools Unavailable: zizmor, poutine (not installed in runner environment)
• Workflows Scanned: 14 workflows (sample compilation)
• Workflows Affected: 4 workflows
• Total Findings: 8 errors + 2 warnings

Findings by Severity

Severity	Count	Description
Critical	0	-
High	8	Activation job missing from dependencies
Medium	0	-
Low	1	Network firewalling warning for Claude
Info	1	Package validation warning

Detailed Findings

1. Critical: Activation Job Missing Error

Issue Type: expression (actionlint)
Severity: High
Count: 8 occurrences across 4 workflows
Category: Workflow Structure Error

Affected Workflows

Workflow	Occurrences	Lines
q.md	2	Lines 5298, 5299
daily-doc-updater.md	2	Lines 3713, 3714
poem-bot.md	2	Lines 5911, 5912
tidy.md	2	Lines 4249, 4250

Error Description

The safe-outputs job references needs.activation.outputs.comment_id and needs.activation.outputs.comment_repo, but the activation job is not included in the job's needs array:

jobs:
  safe-outputs:
    needs: [agent, detection]  # ❌ activation is missing!
    env:
      GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
      GH_AW_COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }}

Error Message:

error: [expression] property "activation" is not defined in object type

Impact

• Immediate workflow failure when triggered
• Error occurs during workflow initialization before any jobs run
• Workflow runs will be marked as failed
• May block automated processes depending on these workflows

Root Cause

Workflows that trigger on commands or events expect an activation job to exist and provide outputs, but the job is not included in the dependency chain for the safe-outputs job.

2. Low: Network Firewalling Warning

Issue Type: Network firewall unsupported
Severity: Low
Count: 1 occurrence
Affected Workflow: daily-doc-updater.md

Warning:

Selected engine 'claude' does not support network firewalling; 
workflow specifies network restrictions (network.allowed). 
Network may not be sandboxed.

Impact: Claude workflows cannot enforce network restrictions, potentially allowing unintended network access.

Recommendation: Consider using Copilot engine if network sandboxing is required, or accept that Claude workflows have unrestricted network access.

3. Info: Package Validation Warning

Issue Type: pip package validation failed
Severity: Info
Count: 1 occurrence
Affected Workflow: scout.md

Warning:

pip package 'markitdown-mcp' validation failed - skipping verification. 
Package may or may not exist on PyPI.

Impact: Package validation could not verify if markitdown-mcp exists, but workflow will attempt to install it anyway. This may cause runtime errors if the package doesn't exist.

Historical Trends

Comparison with previous scans from cache memory:

Date	Total Findings	High Severity	Tools Used	Notes
2025-11-10	8	8	actionlint	Critical errors discovered
2025-11-09	953	0	actionlint	Mostly false positives (SC2006, SC2287 in heredocs)
2025-11-08	5	0	actionlint	Low-impact findings
2025-11-04	147	0	actionlint, zizmor	Template injection (low severity)

Key Insights

1. Nov 9 → Nov 10: Discovered critical runtime errors that were masked by high volume of false positives
2. False Positives: SC2006 (694) and SC2287 (251) from markdown in heredocs are not real issues
3. Real Issues: Activation job missing error affects multiple production workflows
4. Tool Availability: zizmor and poutine not available since Nov 5 (not installed in runner)

Fix Recommendations

Immediate Action Required

Priority 1: Fix Activation Job Missing Error

I've created a detailed fix template at /tmp/gh-aw/cache-memory/fix-templates/actionlint-activation-job-missing.md

Quick Fix Options:

Option A: Add activation to needs (if activation job exists):

jobs:
  safe-outputs:
    needs: [agent, detection, activation]  # ✅ Add activation

Option B: Remove references (if activation not needed):

jobs:
  safe-outputs:
    needs: [agent, detection]
    env:
      # Replace with:
      GH_AW_COMMENT_ID: ${{ github.event.comment.id }}
      GH_AW_COMMENT_REPO: ${{ github.repository }}

Affected Files to Fix:

1. .github/workflows/q.md
2. .github/workflows/daily-doc-updater.md
3. .github/workflows/poem-bot.md
4. .github/workflows/tidy.md

Long-term Recommendations

1. Install Static Analysis Tools: Add zizmor and poutine to the runner environment for comprehensive security scanning
2. Pre-commit Hooks: Add actionlint to pre-commit hooks to catch errors before commit
3. Workflow Templates: Update workflow creation templates to include proper job dependencies
4. Documentation: Document expected job structure for command-triggered workflows
5. CI Integration: Add static analysis check to CI/CD pipeline
6. Filter False Positives: Configure shellcheck to ignore markdown in heredocs (SC2006, SC2287)

Static Analysis Tool Status

Tool	Status	Notes
actionlint	✅ Available	Successfully detecting workflow structure errors
zizmor	❌ Not installed	Would provide security vulnerability scanning
poutine	❌ Not installed	Would provide supply chain security analysis
shellcheck	✅ Available	Integrated via actionlint

To enable full scanning:

# Install in GitHub Actions runner or local environment
pip install zizmor
pip install poutine

Next Steps

• CRITICAL: Fix activation job errors in 4 affected workflows
• Test fixed workflows with gh aw compile --actionlint
• Consider installing zizmor and poutine for comprehensive security scanning
• Add actionlint to pre-commit hooks
• Update workflow templates with correct job dependencies
• Document workflow job structure requirements

Full Scan Data

Complete Workflow Compilation Results

Workflows Compiled Successfully (No Errors)

1. archie.md (264.3 KB)
2. brave.md (257.6 KB)
3. changeset.md (267.0 KB)
4. craft.md (289.4 KB)
5. mergefest.md (262.5 KB)
6. plan.md (255.1 KB)
7. grumpy-reviewer.md (278.9 KB)
8. scout.md (263.9 KB) - Package validation warning only
9. pr-nitpick-reviewer.md (294.4 KB)

Workflows with Errors

q.md (316.3 KB)

File: .github/workflows/q.lock.yml

Error 1 (Line 5298):

error: [expression] property "activation" is not defined in object type 
{agent: {outputs: {output: string; output_types: string}; result: string}; 
detection: {outputs: {}; result: string}}

5296 |           GH_AW_PR_IF_NO_CHANGES: "warn"
5297 |           GH_AW_MAX_PATCH_SIZE: 1024
5298 |           GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Error 2 (Line 5299):

error: [expression] property "activation" is not defined in object type

5297 |           GH_AW_MAX_PATCH_SIZE: 1024
5298 |           GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
5299 |           GH_AW_COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }}
                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

daily-doc-updater.md (226.9 KB)

File: .github/workflows/daily-doc-updater.lock.yml

Warning: Network firewalling not supported for Claude engine

Error 1 (Line 3713):

error: [expression] property "activation" is not defined in object type

3711 |           GH_AW_PR_IF_NO_CHANGES: "warn"
3712 |           GH_AW_MAX_PATCH_SIZE: 1024
3713 |           GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Error 2 (Line 3714):

error: [expression] property "activation" is not defined in object type

3713 |           GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
3714 |           GH_AW_COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }}
                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

poem-bot.md (390.5 KB)

File: .github/workflows/poem-bot.lock.yml

Error 1 (Line 5911):

error: [expression] property "activation" is not defined in object type

5909 |           GH_AW_PR_IF_NO_CHANGES: "warn"
5910 |           GH_AW_MAX_PATCH_SIZE: 1024
5911 |           GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Error 2 (Line 5912):

error: [expression] property "activation" is not defined in object type

5911 |           GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
5912 |           GH_AW_COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }}
                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

tidy.md (286.9 KB)

File: .github/workflows/tidy.lock.yml

Error 1 (Line 4249):

error: [expression] property "activation" is not defined in object type

4247 |           GH_AW_PR_IF_NO_CHANGES: "warn"
4248 |           GH_AW_MAX_PATCH_SIZE: 1024
4249 |           GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Error 2 (Line 4250):

error: [expression] property "activation" is not defined in object type

4249 |           GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
4250 |           GH_AW_COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }}
                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Technical Details

Scan Methodology

1. Used gh-aw MCP server compile tool with actionlint: true flag
2. Compiled workflows in batches to avoid timeout
3. Sample of 14 workflows selected for targeted analysis
4. Focused on detecting genuine compilation errors vs. style issues

Error Pattern Analysis

All 8 errors follow the same pattern:

• Location: safe-outputs job environment variables
• Variables: GH_AW_COMMENT_ID and GH_AW_COMMENT_REPO
• Expression: needs.activation.outputs.*
• Root cause: activation job not in needs array

This suggests a systematic issue in the workflow generation or template, affecting multiple workflows with similar trigger patterns.

Limitations of Current Scan

1. Tools unavailable: zizmor and poutine not installed
2. Sample size: Only 14 of 74 workflows compiled
3. False positives: Previous scans show shellcheck flags markdown in heredocs
4. Scope: Focused on actionlint compilation errors only

---

Scan Details:

• Date: 2025-11-10
• Tools: actionlint (zizmor and poutine unavailable)
• Workflows scanned: 14 sample workflows
• Full scan data: /tmp/gh-aw/cache-memory/security-scans/2025-11-10.json
• Fix template: /tmp/gh-aw/cache-memory/fix-templates/actionlint-activation-job-missing.md

AI generated by Static Analysis Report

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 week ago.