chore: deploy agentic workflows

[WomB0ComB0]

Deploy 4 workflows to resq-software/programs.

This PR was created by gh aw deploy after running update, add, and compile --purge in the target repository.

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD infrastructure with automated GitHub Actions workflows for maintenance tasks, security auditing, issue triaging, secret analysis, and code duplication detection.
  • Updated workflow configurations and security scanning settings to improve development processes and repository management.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR introduces four new AI-powered GitHub Actions workflows (AI-Auditor, Auto-Triage Issues, Daily Secrets Analysis, Duplicate Code Detector) alongside infrastructure configuration and agentic maintenance automation. Each workflow pairs an instruction definition file (.md) with an auto-generated execution orchestration lock file (.lock.yml) that manages multi-job pipelines for activation, threat detection, safe-output handling, and reporting. Supporting configuration updates enable workflow linting, action pinning, CI security scanning, and dependency vulnerability exemptions.

Changes

Agentic Workflows & Infrastructure

Layer / File(s)	Summary
Workflow tooling & CI/CD infrastructure .gitattributes, .github/actionlint.yaml, .github/aw/actions-lock.json, .github/workflows/security.yml, osv-scanner.toml	Configuration updates mark auto-generated workflow locks as linguist-generated (merge conflict resolution), ignore actionlint linting for lock files and maintenance workflows, pin action versions (github-script, gh-aw actions), update security scan workflow SHA reference, and add a new ignored Rust vulnerability (proc-macro-error2) with dependency chain explanation.
Agentics Maintenance workflow .github/workflows/agentics-maintenance.yml	Bi-hourly scheduled and on-demand multi-operation maintenance workflow supporting cache cleanup, label creation, activity/forecast reporting, PR branch updates, workflow validation, and safe-output replay with permission gating and conditional job execution.
AI-Auditor workflow: definition & execution .github/workflows/ai-auditor.md, .github/workflows/ai-auditor.lock.yml	Security code-review workflow triggered on PR open/dispatch. Definition (.md) directs Gemini to review changes for security/logic/performance issues and post results via PR comments. Lock file (.lock.yml) orchestrates activation (prompt compilation, secret validation), agent execution (Gemini CLI under AWF sandbox with MCP servers), threat detection, and safe-output issue/comment reporting.
Auto-Triage Issues workflow: definition & execution .github/workflows/auto-triage-issues.md, .github/workflows/auto-triage-issues.lock.yml	Automated issue triage on issue/schedule/dispatch. Definition (.md) specifies label taxonomy (type/service/library/area), classification logic, community-member detection, and fallback noop behavior. Lock file (.lock.yml) orchestrates pre-activation role checks, activation, agent analysis via Copilot CLI, threat detection, and label application with safe-output handling.
Daily Secrets Analysis workflow: definition & execution .github/workflows/daily-secrets-analysis.md, .github/workflows/daily-secrets-analysis.lock.yml	Weekly repository secret scanning on schedule/dispatch. Definition (.md) embeds six-step scan logic: private-key markers, API/token patterns, blockchain/IPFS credentials, mock-mode checks, .env files, JWT/session secrets, .gitignore coverage, infrastructure references, workflow secrets, with structured discussion reporting. Lock file (.lock.yml) orchestrates activation, agent execution, threat detection, and discussion-based issue creation.
Duplicate Code Detector workflow: definition & execution .github/workflows/duplicate-code-detector.md, .github/workflows/duplicate-code-detector.lock.yml	Weekly polyglot code duplication detection on schedule/dispatch. Definition (.md) specifies analysis across Rust/TypeScript/Python/C++/C#, detection thresholds (>10 lines or 3+ patterns), scope rules, issue templates, and max 3 issues with noop fallback. Lock file (.lock.yml) orchestrates guardrails, activation, agent execution via Copilot CLI, threat detection, safe-output processing, and per-pattern issue creation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• resq-software/programs#32: Updates .github/workflows/security.yml to SHA-pin the reusable security-scan workflow reference.
• resq-software/programs#30: Updates .github/workflows/security.yml to SHA-pin the reusable security-scan workflow reference.

Poem

🐰 Four new sentries guard the code with glowing minds,
From audits deep to secrets hiding in the dark,
Triaging issues, finding duplication's mark,
While maintenance keeps the agentic gears aligned! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: deploy agentic workflows' directly and clearly describes the main objective of the PR, which is to deploy agentic workflows to the repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch deploy-workflows-2334

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request adds a .gitattributes file to mark GitHub workflow lock files as linguist-generated and configure their merge strategy. It also introduces an actions lock file (.github/aw/actions-lock.json) to pin specific versions and SHAs of GitHub Actions, including actions/github-script and github/gh-aw-actions. There are no review comments, and I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.