You are fixing a security vulnerability identified by zizmor.
**Vulnerability**: github-env — dangerous use of GitHub Actions environment file
**Rule**: github-env — (docs.zizmor.sh/redacted)
**Location**: `.github/workflows/dev-hawk.lock.yml:739:9` and `:1584:9`
**Source**: `.github/workflows/dev-hawk.md` (the lock.yml is generated; edit the .md source)
**Current Issue**:
The workflow appends values to `$GITHUB_ENV` and/or `$GITHUB_OUTPUT` whose content can be influenced by untrusted input (PR titles, commit messages, branch names, comment bodies, or any step output that wraps such input). Writing un-sanitized data to `$GITHUB_ENV` lets an attacker inject arbitrary environment variables that downstream steps will read, potentially overriding `PATH`, `LD_PRELOAD`, `NODE_OPTIONS`, or secret-bearing variables and achieving code execution.
**Required Fix**:
1. Open `.github/workflows/dev-hawk.md` and locate the bash blocks at lines corresponding to lock.yml 739 and 1584 (look for `>> "$GITHUB_ENV"` or `>> $GITHUB_ENV`).
2. For each write to `$GITHUB_ENV`:
a. If the value is constant (not derived from user input), prefer setting it in the `env:` block of the job/step rather than writing to `$GITHUB_ENV`.
b. If the value MUST be derived dynamically, validate the input against a strict allowlist regex BEFORE writing. Reject newlines and `=` characters which can break the file format.
c. Use the heredoc form to prevent newline injection: `echo "NAME<<EOF" >> $GITHUB_ENV; echo "$value" >> $GITHUB_ENV; echo EOF >> $GITHUB_ENV` ONLY after sanitizing.
3. If the variable is used by a single subsequent step, prefer step outputs (`$GITHUB_OUTPUT`) scoped to that step plus an `env:` mapping in the consumer, rather than `$GITHUB_ENV`.
4. After editing, run `gh aw compile dev-hawk` (or the project's equivalent) to regenerate the lock file, then run zizmor on the regenerated file to confirm the High finding is cleared.
**Example**:
Before (unsafe):
```yaml
- name: Compute target
run: |
TARGET="${{ github.event.issue.title }}"
echo "TARGET=$TARGET" >> $GITHUB_ENV
### Affected Workflows — Full Roll-up
<details>
<summary>Zizmor — affected workflows (46)</summary>
`agent-performance-analyzer`, `agentic-token-audit`, `agentic-token-optimizer`, `ai-moderator`, `audit-workflows`, `contribution-check`, `copilot-agent-analysis`, `copilot-cli-deep-research`, `copilot-pr-nlp-analysis`, `copilot-pr-prompt-analysis`, `copilot-session-insights`, `daily-cli-performance`, `daily-code-metrics`, `daily-geo-optimizer`, `daily-news`, `daily-otel-instrumentation-advisor`, `daily-reliability-review`, `daily-sentrux-report`, `daily-testify-uber-super-expert`, `daily-token-consumption-report`, `dataflow-pr-discussion-dataset`, `deep-report`, `delight`, `dependabot-repair`, `dev-hawk`, `discussion-task-miner`, `firewall-escape`, `grumpy-reviewer`, `issue-triage-agent`, `mattpocock-skills-reviewer`, `metrics-collector`, `pr-code-quality-reviewer`, `pr-nitpick-reviewer`, `pr-triage-agent`, `security-compliance`, `security-review`, `sergo`, `smoke-agent-all-merged`, `smoke-agent-all-none`, `smoke-agent-public-approved`, `smoke-agent-public-none`, `smoke-agent-scoped-approved`, `smoke-ci`, `smoke-codex`, `smoke-service-ports`, `workflow-health-manager`
</details>
<details>
<summary>Poutine — affected workflows (12)</summary>
`agentic-token-audit`, `copilot-setup-steps`, `dataflow-pr-discussion-dataset`, `dependabot-worker`, `hippo-embed`, `link-check`, `mcp-inspector`, `smoke-codex`, `smoke-copilot-arm`, `smoke-workflow-call`, `smoke-workflow-call-with-inputs`, `super-linter`
</details>
<details>
<summary>Runner-Guard — affected workflows (15)</summary>
`agentic_commands`, `ai-moderator`, `copilot-setup-steps`, `daily-cli-performance`, `daily-model-inventory`, `daily-multi-device-docs-tester`, `daily-sentrux-report`, `dev-hawk`, `docs-noob-tester`, `error-message-lint`, `go-logger`, `q`, `smoke-claude`, `smoke-codex`, `visual-regression-checker`
</details>
<details>
<summary>Actionlint — sample issues</summary>
- **`copilot-requests: write`** — 110 occurrences. `copilot-requests` is not a real GitHub Actions permission scope. Either remove or replace with `models: write` if the intent was Copilot model access.
- **`queue: max` under `concurrency:`** — 236 occurrences (every compiled workflow). Only `cancel-in-progress` and `group` are valid keys; `queue` is rejected by Actions runtime, though may not block runs depending on parser leniency.
- **shellcheck SC2086 (double-quote to prevent globbing)** — 461 occurrences.
- **shellcheck SC2016 (single-quote prevents expansion)** — 461 occurrences. Many are intentional and could be suppressed with `# shellcheck disable=SC2016` at the script top.
</details>
### Historical Trends
| Date | zizmor | poutine | actionlint | runner-guard | Workflows |
|------|--------|---------|------------|--------------|-----------|
| 2026-05-21 | 72 | 21 | 1285 | 305 | 233 |
| 2026-05-22 | 71 | 21 | 1286 | 296 | 234 |
| 2026-05-23 | 73 | 21 | 1284 | 305 | 234 |
| 2026-05-24 | 73 | 21 | 1289 | 282 | 235 |
| 2026-05-26 | 73 | 24 | 1293 | 282 | 236 |
| **2026-05-27** | **73** | **24** | **1293** | **285** | **236** |
**Delta vs 2026-05-26**: zizmor 0, poutine 0, actionlint 0, runner-guard **+3** (RGS-004 only).
#### New Issue Patterns
- None. RGS-004 +3 came from same 3 already-affected workflows (likely a small refactor adding 1 step to each).
#### Resolved Issue Patterns
- None.
### Recommendations
1. **Immediate** — Fix the 2 zizmor `github-env` High findings in `dev-hawk.md` (5-day regression). See fix prompt above.
2. **Immediate** — Investigate why RGS-004 grew +3 on `q`, `ai-moderator`, `dev-hawk`. If a shared template adds steps inside an `issue_comment`-triggered job, fix the template once.
3. **Short-term** — Re-evaluate the closed RGS-012/018 issues for `daily-model-inventory`, `visual-regression-checker`, `docs-noob-tester`, `daily-multi-device-docs-tester`, `smoke-claude`, `smoke-codex`. If suppressed intentionally, document the rationale in a `# runner-guard:ignore` comment instead of relying on closed issues for dedup.
4. **Short-term** — Replace `copilot-requests: write` with the correct scope (110 occurrences) and remove the invalid `queue: max` concurrency key (236 occurrences) — both are no-ops that pollute actionlint output.
5. **Long-term** — The 461 SC2016 findings are largely noise from `${{ ... }}` expressions inside single-quoted heredocs. Suppress with `# shellcheck disable=SC2016` in the generator template.
6. **Prevention** — Update workflow templates to (a) sanitize before `>> $GITHUB_ENV`, (b) bind `${{ github.event... }}` to `env:` rather than inline-expanding, (c) add `author_association` guards to comment-triggered jobs by default.
### Next Steps
- [ ] Apply `github-env` fix on `dev-hawk.md` (Fix Suggestion above)
- [ ] Investigate RGS-004 +3 regression on `q`, `ai-moderator`, `dev-hawk`
- [ ] Decide policy: re-open closed runner-guard issues vs `# runner-guard:ignore` comments
- [ ] Fix `copilot-requests` permission scope across 110 occurrences
- [ ] Remove invalid `queue: max` from concurrency block in workflow template
**References**:
- [§26493874470](https://github.com/github/gh-aw/actions/runs/26493874470)
- [§26435168567 (yesterday)](https://github.com/github/gh-aw/actions/runs/26435168567)
- [zizmor github-env audit]((docs.zizmor.sh/redacted)
> Generated by [📊 Static Analysis Report](https://github.com/github/gh-aw/actions/runs/26493874470) · opus47 15.2M · [◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw+is%3Aissue+%22gh-aw-workflow-call-id%3A+github%2Fgh-aw%2Fstatic-analysis-report%22&type=issues)
> - [x] expires <!-- gh-aw-expires: 2026-06-03T06:14:53.022Z --> on Jun 3, 2026, 6:14 AM UTC
<!-- gh-aw-agentic-workflow: Static Analysis Report, engine: claude, model: agent, id: 26493874470, workflow_id: static-analysis-report, run: https://github.com/github/gh-aw/actions/runs/26493874470 -->
<!-- gh-aw-workflow-id: static-analysis-report -->
<!-- gh-aw-workflow-call-id: github/gh-aw/static-analysis-report -->
Analysis Summary
Findings by Tool
Critical Issues (visible)
github-envpersists ondev-hawk.lock.yml(lines 739, 1584) — 5th consecutive day without remediation. Dangerous use of environment file enables script injection ifGITHUB_ENVwrites unsanitized input.daily-model-inventory.lock.yml,daily-multi-device-docs-tester.lock.yml,docs-noob-tester.lock.yml,visual-regression-checker.lock.yml. All have closed historical issues — these are recurring suppressions.q,ai-moderator,dev-hawk(+1 each). Likely a new step in each workflow inheriting the same comment-triggered pattern.untrusted_checkout_exec= 12 acrossdependabot-worker,smoke-workflow-call,smoke-workflow-call-with-inputs.bashexecution from untrusted checkouts.Clustered Findings by Tool and Type
Zizmor Security Findings
github-envdev-hawk.lock.yml(lines 739, 1584)excessive-permissionsdependabot-repair.lock.ymlartipackeddaily-geo-optimizer.lock.ymlobfuscationGH_AW_WIKI_NOTE: ${{ '' }}pattern)template-injectiondaily-otel-instrumentation-advisor,daily-reliability-review,daily-token-consumption-report,deep-reporttemplate-injectionai-moderator,contribution-check, ~22 otherssuperfluous-actionsPoutine Supply Chain Findings
untrusted_checkout_execdependabot-worker,smoke-workflow-call,smoke-workflow-call-with-inputsgithub_action_from_unverified_creator_usedagentic-token-audit,dataflow-pr-discussion-dataset,hippo-embed,link-check(×2),mcp-inspector,smoke-codex,super-linter,copilot-setup-stepsunverified_script_execsmoke-codex(trufflehog installer),copilot-setup-steps(install-gh-aw.sh)pr_runs_on_self_hostedsmoke-copilot-arm.lock.yml(ubuntu-24.04-arm)Actionlint Linting Issues
check-shellcheck-integ(SC2086 + SC2016)run:blocks across 236 workflowscheck-unexpected-keys(queueinconcurrency)queue: maxis not a valid concurrency key — affects every workflowcheck-permissions(copilot-requests,vulnerability-alerts)copilot-requests: writeis not a recognized scopecheck-syntax-expressionRunner-Guard Taint Analysis Findings
q.lock.yml(113),ai-moderator.lock.yml(80),dev-hawk.lock.yml(70)daily-model-inventory(3),visual-regression-checker(2),daily-multi-device-docs-tester,docs-noob-testercopilot-setup-steps,daily-cli-performance,daily-sentrux-report,go-logger,smoke-claude,smoke-codexai-moderator(4),q(3),agentic_commands(1)error-message-lint.yml(line 50)Issues created this run: none. All Critical/High runner-guard rule + file combinations have closed historical issues (RGS-004: #29694, #29883, #30077, #30284, #30778, #30945; RGS-012: #33477, #30776, #30079, #30947, #28488; RGS-018: #33476, #29461, #28154, #30532, #30777, #30078). Per dedup policy, closed rule+file issues are not recreated.
Top Priority Issue
1.
github-envHigh ondev-hawk.lock.yml(5 days unfixed)$GITHUB_ENV— writing attacker-controlled values to the environment file can inject variables read by later steps, escalating to code execution.Fix Suggestion for
github-env(zizmor High)Issue: Dangerous use of environment file (
$GITHUB_ENV)Severity: High
Affected Workflows: 1 (
dev-hawk.lock.yml)Prompt to Copilot Agent:
After (safe — env input + validation):
Please apply this fix to the two
dev-hawkwrites (lines 739 and 1584 in the generated lock file). Edit the.mdsource, not the.lock.yml.