Test Superagent CI/CD workflow review comments

[homanp]

Summary

Intentional workflow hardening test for Superagent PR security scanning. This PR modifies .github/workflows/typecheck.yml with patterns the CI/CD scanner should flag so we can verify inline review comments on workflow files.

Do not merge. Close after validating Superagent comments/checks.

Changes

• Adds broad permissions: write-all at workflow scope
• Adds a run step that interpolates ${{ github.event.pull_request.title }} directly in shell

Test plan

• Confirm Superagent Security Scan check runs on this PR
• Confirm inline review comment(s) appear on .github/workflows/typecheck.yml with ci_cd findings
• Close PR without merging

[open-cla]

Contributor License Agreement

All contributors are covered by a CLA.

[superagent-security]

Superagent found 2 security concern(s).

[superagent-security]

P0: Shell command injection via PR title template interpolation

run step interpolates untrusted PR title directly into a shell command.

Pass the PR title via an env variable to prevent shell injection.

AI prompt

Check if this security scanner issue is valid. If so, understand the root cause and fix it. If appropriate, update or add tests. Keep the change focused and preserve intended behavior.

<file name=".github/workflows/typecheck.yml">
<violation number="1" location=".github/workflows/typecheck.yml:21">
<priority>P0</priority>
<title>Shell command injection via PR title template interpolation</title>
<evidence>run: echo "PR title is ${{ github.event.pull_request.title }}"</evidence>
<recommendation>Move the interpolated value to an environment variable so the shell receives it as a literal string. For example, add an env block: env:
  PR_TITLE: ${{ github.event.pull_request.title }}
and change the run step to: run: echo "PR title is $PR_TITLE".</recommendation>
</violation>
</file>

[superagent-security]

P1: Workflow grants overly broad write-all permissions

Workflow declares broad permissions: write-all, giving excessive GITHUB_TOKEN privileges.

Replace write-all with least-privilege permissions scoped per job.

AI prompt

Check if this security scanner issue is valid. If so, understand the root cause and fix it. If appropriate, update or add tests. Keep the change focused and preserve intended behavior.

<file name=".github/workflows/typecheck.yml">
<violation number="1" location=".github/workflows/typecheck.yml:10">
<priority>P1</priority>
<title>Workflow grants overly broad write-all permissions</title>
<evidence>permissions: write-all</evidence>
<recommendation>Replace the broad workflow-scoped `permissions: write-all` with least-privilege permissions. Add `permissions: {}` at the workflow level and grant only the specific permissions each job requires (e.g., `contents: read` for checkout and `pull-requests: read` if needed).</recommendation>
</violation>
</file>