From 98a25d8959b67299e1f666f8f8fe2636ba5945fd Mon Sep 17 00:00:00 2001
From: Mike Odnis <airwolf635@gmail.com>
Date: Thu, 11 Jun 2026 00:03:01 -0400
Subject: [PATCH] ci(security-scan): skip gh-aw generated *.lock.yml in
 actionlint

gh-aw lock files are machine-generated and validated by `gh aw lint`;
actionlint flags false-positives in them (concurrency.queue key its version
doesn't know + info-level shellcheck in embedded scripts), failing the gate
on every repo running agentic workflows. Lint hand-written workflows fully,
skip the generated locks.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/security-scan.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index dff2edc..114989f 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -247,7 +247,9 @@ jobs:
         run: |
           set -euxo pipefail
           bash <(curl -fsSL https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
-          ./actionlint -color
+          # Skip gh-aw generated *.lock.yml (machine-generated; validated by `gh aw lint`).
+          files=$(find .github/workflows -maxdepth 1 -type f \( -name '*.yml' -o -name '*.yaml' \) ! -name '*.lock.yml' | sort)
+          if [ -n "$files" ]; then ./actionlint -color $files; else echo 'no hand-written workflows to lint'; fi
 
   # ── Semgrep (opt-in SAST) ─────────────────────────────────────────────────
   semgrep: