[q] ci: add runner-guard to security-scan matrix (#27661)

[github-actions]

Adds runner-guard to the security-scan matrix in cgo.yml, enabling taint analysis as part of CI alongside zizmor, actionlint, and poutine.

Change

In .github/workflows/cgo.yml, the security-scan job matrix previously included:

• zizmor (--zizmor)
• actionlint (--actionlint)
• poutine (--poutine)

This PR adds:

• runner-guard (--runner-guard)

Why

Requested in issue #27661 ([static-analysis] Report - 2026-04-21). The static-analysis daily workflow already runs runner-guard, and this change ensures the same coverage runs in CI on the main branch for each push.

Validation

The security-scan job runs ./gh-aw compile poem-bot <flag> --verbose for each tool. The --runner-guard flag is already supported by the compile pipeline (compile_config.go).

• Fixes [static-analysis] Report - 2026-04-21 #27661

---

Warning

Protected Files — Push Permission Denied

This was originally intended as a pull request, but the patch modifies protected files. A human must create the pull request manually.

Protected files

• .github/workflows/cgo.yml

The push was rejected because GitHub Actions does not have workflows permission to push these changes, and is never allowed to make such changes, or other authorization being used does not have this permission.

Create the pull request manually

# Download the patch from the workflow run
gh run download 24744874082 -n agent -D /tmp/agent-24744874082

# Create a new branch
git checkout -b q/enable-runner-guard-ci-1fa9a9b83d85849e main

# Apply the patch (--3way handles cross-repo patches)
git am --3way /tmp/agent-24744874082/aw-q-enable-runner-guard-ci.patch

# Push the branch and create the pull request
git push origin q/enable-runner-guard-ci-1fa9a9b83d85849e
gh pr create --title '[q] ci: add runner-guard to security-scan matrix (#27661)' --base main --head q/enable-runner-guard-ci-1fa9a9b83d85849e --repo github/gh-aw

🎩 Equipped by Q · ● 957.7K · ◷

• expires on Apr 23, 2026, 8:36 PM UTC