Add workflow-linter.yml prevention workflow

Author: hyperpolymath

.github/workflows/workflow-linter.yml

@@ -0,0 +1,54 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Prevention workflow - validates all workflows have proper security config
+name: Workflow Security Linter
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+  push:
+    paths:
+      - '.github/workflows/**'
+
+permissions: read-all
+
+jobs:
+  lint-workflows:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+
+      - name: Check SPDX headers
+        run: |
+          errors=0
+          for f in .github/workflows/*.yml .github/workflows/*.yaml; do
+            [ -f "$f" ] || continue
+            if ! head -1 "$f" | grep -q "SPDX-License-Identifier"; then
+              echo "ERROR: $f missing SPDX header"
+              errors=$((errors + 1))
+            fi
+          done
+          exit $errors
+
+      - name: Check permissions declaration
+        run: |
+          errors=0
+          for f in .github/workflows/*.yml .github/workflows/*.yaml; do
+            [ -f "$f" ] || continue
+            if ! grep -q "^permissions:" "$f"; then
+              echo "ERROR: $f missing permissions declaration"
+              errors=$((errors + 1))
+            fi
+          done
+          exit $errors
+
+      - name: Check pinned actions
+        run: |
+          errors=0
+          for f in .github/workflows/*.yml .github/workflows/*.yaml; do
+            [ -f "$f" ] || continue
+            # Look for uses: without SHA
+            if grep -E "uses:.*@v[0-9]" "$f" | grep -v "#"; then
+              echo "WARNING: $f has unpinned actions (missing SHA comment)"
+            fi
+          done