Add Security job to integrations workflow with SAST and linting

[Copilot]

Completes the Full Stack AI Toolkit + Security bootstrap by adding a Security job to the existing integrations workflow. The integration-checks job already handles service connectivity; this adds automated security scanning.

Changes

• Security job with fail-safe SAST and linting

  • Semgrep static analysis (--config=p/ci) with optional pip3 install
  • ShellCheck for shell scripts with optional apt install
  • Basic file security checks for sensitive patterns (*.key, *.pem, etc.)
  • All steps use continue-on-error: true - missing tools skip gracefully
  • Proper find with -path exclusions to avoid false matches

• No config changes needed - config/services.example.json already documents all 9 required secrets

Security Workflow Behavior

# Tools install only if available, skip otherwise
- Install Semgrep (optional) → Run/Skip based on availability
- Install ShellCheck (optional) → Run/Skip based on availability
- Basic file checks → Always runs (no deps)

All checks are non-blocking - they report issues but never fail the build. Workflow succeeds even when tools are unavailable or find issues.

Verified

• YAML syntax valid
• 0 CodeQL alerts
• Correct semgrep flags (no duplicate --severity)
• Find commands use -path instead of grep filters

Original prompt

Add a Full Stack AI Toolkit + AI Full Stack Security Toolkit bootstrap to lippytm/Transparency-Logic-Time-Machine-Bots-.

Deliverables:

1. GitHub Actions workflow: .github/workflows/integrations.yml

   • Triggers: push to main and workflow_dispatch.
   • Jobs:
     a) Integrations: checkout; detect presence of secrets (mask values); run placeholder connectivity steps for OpenAI, ManyChat, BotBuilders, Moltbook, Moltbot, OpenClaw, GitHub. If a secret is missing, skip that service gracefully. Use only bash/curl (no extra deps).
     b) Security: minimal, portable lint/style + basic SAST with safe fallbacks (no repo-specific deps assumed). Example: run semgrep --config=p/ci if available; otherwise echo skipped. Run shellcheck if available; otherwise skip. Keep the job dependency-free beyond standard tools; do not fail when tools/lockfiles are absent.
   • Logging: only report which secrets are present/missing; never print values. Mark steps with if: guards so missing secrets/tools don’t fail the workflow.
   • Env variables map directly to the secret names below.

2. Config stub: config/services.example.json

   • Documents expected env vars and placeholders; no secrets committed.

Secrets to reference (names only, no values):

• OPENAI_API_KEY
• MANYCHAT_API_KEY
• BOTBUILDERS_API_KEY
• MOLTBOOK_API_KEY
• MOLTBOT_API_KEY
• OPENCLAW_API_KEY
• GITHUB_PAT (only if cross-repo GitHub API calls are needed)
• WEBHOOK_URL
• Optional base URLs: SERVICE_BASE_URL_OPENCLAW (pattern SERVICE_BASE_URL_* for others)

Constraints:

• Keep workflow dependency-light (bash/curl; optional semgrep/shellcheck only if available or installed in-job with minimal footprint).
• Fail-safe: missing secrets/tools should skip relevant steps, not fail the run.
• No secrets or sensitive data committed.

This pull request was created from Copilot chat.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.