test: Superagent dismiss via resolve conversation

[superagent-security]

What does this PR do?

Adds a minimal workflow fixture that should produce one Superagent security finding (PR title interpolated in run). Use this PR to verify clearing Security scan without a new push.

How to clear Security scan

1. Wait for Superagent to post the inline finding and set Security scan to action_required.
2. Open Files changed and find the Superagent inline comment thread.
3. Click Resolve conversation on that thread.
   • If it is already resolved, click Unresolve conversation, then Resolve conversation again.
4. Refresh the checks tab after a few seconds — Security scan should turn green.

Who can dismiss: repo members/collaborators, prior contributors, or users with write access. First-time contributors need a maintainer to resolve (or reply on the thread with context).

Alternative: reply on the finding thread explaining why the finding is acceptable; Superagent will acknowledge and clear the check once all findings are addressed.

Cleanup

Delete .github/workflows/superagent-dismiss-resolve-test.yml after testing.

---

Note

Low Risk
Adds a new pull-request GitHub Actions workflow that echoes the PR title, intentionally creating a CI/CD injection-style finding for testing. No production code paths are changed, but it will run on all PRs until removed.

Overview
Adds a new GitHub Actions workflow, .github/workflows/superagent-dismiss-resolve-test.yml, that runs on pull_request and echoes the PR title via a run command.

This is an intentional insecure fixture to generate a single Superagent CI/CD finding for testing dismiss/resolve behavior.

^{Reviewed by Cursor Bugbot for commit 9c28b22. Bugbot is set up for automated code reviews on this repo. Configure here.}

[superagent-security]

Clearing Security scan on this PR

After Superagent posts the inline finding:

1. Open Files changed → find the Superagent thread
2. Resolve conversation (or Unresolve → Resolve if already resolved)
3. Refresh checks — Security scan should go green

Maintainers / prior contributors can resolve; first-time contributors can reply on the thread or ask a maintainer to resolve.

[open-cla]

Contributor License Agreement

The following contributors need CLA coverage:

• @superagent-security[bot]
• @homanp

Review and sign the CLA

[superagent-security]

Superagent found 1 security concern(s).

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 9c28b22. Configure here.}

[cursor]

Shell injection via untrusted PR title in workflow

High Severity

The ${{ github.event.pull_request.title }} expression is directly interpolated into the shell run command, creating a script injection vulnerability. Any external contributor can craft a PR title containing shell metacharacters (e.g., "; malicious-command #) to execute arbitrary commands in the CI runner. The workflow triggers on all pull_request events with no branch restriction, making it exploitable by anyone who can open a PR.

 

^{Reviewed by Cursor Bugbot for commit 9c28b22. Configure here.}

[cursor]

Temporary test workflow committed without removal mechanism

Medium Severity

This workflow is explicitly described in the PR as a temporary test fixture that needs to be manually deleted after testing. Committing temporary test infrastructure with an intentional security vulnerability and relying on manual cleanup creates a risk of the file persisting indefinitely in the repository, leaving the script injection active on all future PRs.

 

^{Reviewed by Cursor Bugbot for commit 9c28b22. Configure here.}