[plan] Fix systemic secrets-outside-env pattern in workflow compiler (3,813 findings)

[github-actions]

Objective

Evaluate and implement a framework-level fix for the systemic secrets-outside-env zizmor MEDIUM finding affecting all 177 workflows (3,813 findings). The fix should be made in the workflow compiler to emit secrets via env: blocks rather than directly in run: scripts.

Context

Source: Static Analysis Report - 2026-03-22

Vulnerability: secrets-outside-env — Secrets referenced in run: scripts without a dedicated env: block, exposing them in process listings.

Scale: 3,813 findings across all 177 workflows — this is a systemic pattern in the compiled .lock.yml output generated by the framework.

Current pattern (in generated lock files):

- name: Run step
  run: |
    echo "${{ secrets.SOME_SECRET }}" | some-command

Required pattern (zizmor-compliant):

- name: Run step
  env:
    SOME_SECRET: ${{ secrets.SOME_SECRET }}
  run: |
    echo "$SOME_SECRET" | some-command

Approach

1. Investigate compiler output: Find where secrets are injected into run: blocks in the compiler (pkg/workflow/compiler_yaml.go or related files)
2. Identify all secret patterns: Look for ${{ secrets.* }} usage in compiled templates
3. Implement env: block generation: Modify the compiler to:
   • Extract secret references from run: scripts
   • Add them to a step-level env: block
   • Replace ${{ secrets.X }} with $SECRETS_X (or similar safe env var name) in the script
4. Test: Compile a representative set of workflows and verify zizmor no longer reports secrets-outside-env
5. Run make recompile and validate

Files to Investigate

• pkg/workflow/compiler_yaml.go — main YAML generation logic
• pkg/workflow/expression_extraction.go — expression/secret extraction
• actions/setup/sh/*.sh — check if any setup scripts also have this pattern

Acceptance Criteria

• The compiler generates env: blocks for secrets instead of inline ${{ secrets.* }} in run: scripts
• make recompile regenerates all 177 workflows with the new pattern
• Zizmor secrets-outside-env findings drop from ~3,813 to near 0
• All existing tests still pass (make test-unit)
• Generated workflows still function correctly in CI

Generated by Plan Command for issue #discussion #22240 · ◷

• expires on Mar 24, 2026, 8:48 AM UTC

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot coding agent.

The Copilot coding agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster · ◷

[github-actions]

This issue was automatically closed because it expired on 2026-03-24T08:48:32.422Z.

Closed by Workflow