109 open code-scanning alerts, all from zizmor (the Actions security linter added in PR #2535), across 34 workflow files in 5 rule classes. Every one is fixable with a standard hardening pattern. Step the player to see the before → after and the proper architecture — not just the mechanical line.
Source: gh api repos/yonatangross/orchestkit/code-scanning/alerts · commit 4fd816314 · 2026-06-20 ·
severity split 33 error / 76 warning.
Escape hatch for an accepted risk: # zizmor: ignore[rule-id] on the line — prefer a real fix.