fix(ci): bind forge SSH key so mirror.yml guards actually work

[hyperpolymath]

mirror.yml guarded each forge's ssh-agent with if: ${{ env.SSH_PRIVATE_KEY != '' }}, but SSH_PRIVATE_KEY was never defined — so the guard was permanently false, ssh-agent never loaded, and every enabled mirror push ran keyless and failed silently. Binds each job's real secrets.<FORGE>_SSH_KEY to a job-level SSH_PRIVATE_KEY env so the guard works per forge. Found by the estate latent-CI sweep. 🤖 Generated with Claude Code

[github-actions]

🔍 Hypatia Security Scan

Findings: 48 issues detected

Severity	Count
🔴 Critical	0
🟠 High	37
🟡 Medium	11

View findings

[
  {
    "reason": "No test directory or test files found",
    "type": "no_tests",
    "file": "/home/runner/work/docmatrix/docmatrix",
    "action": "flag",
    "rule_module": "honest_completion",
    "severity": "high",
    "deduction": 20
  },
  {
    "reason": "codeql.yml lists `language: javascript-typescript` but the repo has no source files in any CodeQL-scannable language. The analyze job will exit 'no source files' on every run. Switch the matrix to `actions` (which scans workflow files — every repo has those).",
    "type": "codeql_language_matrix_mismatch",
    "file": "codeql.yml",
    "action": "switch_codeql_matrix_to_actions",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in push-email-notify.yml",
    "type": "missing_timeout_minutes",
    "file": "push-email-notify.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "scorecard_publish_with_run_step",
    "file": "scorecard-enforcer.yml",
    "action": "split_scorecard_publish_job",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence