// Maintainer workflow for the pre-PR secure loop: code, build/test, SAST/CodeQL, dynamic sanitizer checks, fixes, and concise handoff.
| name | pre-pr-security-cycle |
| description | Maintainer workflow for the pre-PR secure loop: code, build/test, SAST/CodeQL, dynamic sanitizer checks, fixes, and concise handoff. |
| allowed-tools | ["bash","read","grep","glob","shell(git:*)","shell(gh:*)"] |
Use this skill before opening, updating, or finalizing an iccDEV PR that touches C/C++, CMake, CI, release packaging, sanitizer policy, CodeQL, or other security automation.
| Change | Required static checks |
|---|---|
| Workflow YAML | Workflow governance prompt, YAML parse, actionlint, CodeQL Actions analysis, expression-in-run scan |
| Python script | Python syntax check and CodeQL Python analysis |
| Shell script | ShellCheck; CodeQL Actions covers inline workflow run: blocks, not standalone shell scripts |
| C/C++ or CMake security path | CodeQL local script or hosted ci-codeql-security |
| Parser/profile/tool behavior | Code review hunting prompt plus sanitizer build where practical |
| Release, WASM, vcpkg | Governance prompt plus package/runtime smoke logs |
| Dockerfile or container policy | hadolint, Trivy config, image scan, and Docker runtime smoke |
CodeQL does not replace YAML, shell, or permissions review.
For workflow changes, also review
../../../docs/workflow-security-trust-boundaries.md. PR workflows that build
PR code must use trusted-base .github/scripts helpers for sanitizers,
summaries, and reusable workflow logic; any PR-controlled helper execution must
be test-only and explicitly visible in preflight output.
Choose the smallest dynamic check that proves the changed behavior:
hadolint and Trivy config, then build, scan, or smoke the affected image
when practical.Report only merge-relevant evidence:
Prefer a short human-golfed report over raw logs.
../../../docs/pre-pr-security-cycle.md../../../docs/workflow-security-trust-boundaries.md../../../docs/build.md../../../docs/ctest.md../../../docs/codeql.md../../../docs/regression-workflow-governance.md../../prompts/pre-pr-security-cycle.prompt.md../../prompts/audit-workflow-governance.prompt.md../../prompts/build-and-test.prompt.md../../prompts/code-review-hunting.prompt.mdReproduce and triage ASAN/UBSAN findings against iccDEV tools with authoritative exit-code and stack-frame handling.
Maintainer workflow for scoping and updating iccDEV CI, CTest, CPack, sanitizer, workflow, and release-gate infrastructure.
Add or update iccDEV regression gates and tool-test workflow coverage while preserving GitHub Actions governance, sanitizer reporting, and issue traceability.
Maintain iccDEV repository labels, path labeler rules, issue triage labels, PR CI status labels, and label workflow governance.
Debug iccDEV vcpkg, install/export, uninstall, and packaged consumer failures, especially Windows static CRT and path quoting regressions.
Review and edit iccDEV documentation for signal, accuracy, canonical ownership, and low-noise handoff.