[codex] Guardrail candidate: Workflow shell footgun (workflow-shell-footgun)

[haasonsaas]

Workflow shell footgun

This issue routes a recurring review-feedback class to the repo that needs the prevention guardrail.

• Repo: evalops/.github
• Class: workflow-shell-footgun
• Repo findings: 1
• Class findings: 1
• Generated at: 2026-05-15T12:59:46Z
• Window: merged since 2026-05-12 with minimum severity high
• Org tracker: [codex] Guardrail backlog: Workflow shell footgun (workflow-shell-footgun) #69

Guardrail to build

Add or extend workflow lint/security checks so fragile shell and GitHub Actions mistakes fail before review.

Representative feedback in this repo

• high Add EvalOps PR lens review workflow #75 .github/scripts/evalops-pr-lens-review.rb:141

  • gh_api missing --input flag drops request body

  • Add EvalOps PR lens review workflow #75 (comment)

Finding fingerprints

• 129f54752faf4b7e165b7944b5bf10fdb6c1c5d6985bba45ac521c5671aaa015

Acceptance criteria

• A repo-local guardrail fails for at least one representative feedback shape listed above.
• The guardrail is wired into the smallest relevant CI, preflight, or test target in this repo.
• The issue is closed only after the guardrail merges and the feedback sentinel reports this repo/class fingerprint set as already closed or absent.

[haasonsaas]

Addressed by merged PR #82 (a8edecd). The PR added the org control-plane contract and verifier, CI rail, label sync, MCP config rollout, Codex hook guardrails, archived Dependabot audit/runbook, and strategy/tooling docs, with repository tests and targeted actionlint passing.