[codex] Run workflow security guard on workflow changes
@singhbharath03draftchecks…codex/workflow-security-guard → codex/github-actions-security-linter1 files · +82 −0updated 1w agochecks n/a
▸Description
Summary
- Add
workflow_security_guard.yaml to run the GitHub Actions security linter from #24572 on workflow file changes.
- Keep the job least-privilege with
permissions: contents: read, no secrets, and only pinned first-party actions.
- Pass only changed workflow YAML files to the linter to avoid repo-wide noise from historical workflows.
Stack
- Stacked on #24572 (
codex/github-actions-security-linter) because this workflow depends on ci_checks/lint_github_actions_security.py.
Validation
uv run python - <<... parsed .github/workflows/workflow_security_guard.yaml and checked contents: read.uv run python ci_checks/lint_github_actions_security.py .github/workflows/workflow_security_guard.yamlgit diff --checkuv run pytest tests/test_lints/test_github_actions_security.py