fix(ci): remediate .github compliance findings — 2026-04-17 audit#147
fix(ci): remediate .github compliance findings — 2026-04-17 audit#147don-petry wants to merge 4 commits into
Conversation
|
Warning Review limit reached
More reviews will be available in 34 minutes and 44 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthrough
Dependency Audit Delegation
Estimated code review effort🎯 2 (Simple) | ⏱️ ~5 minutes Possibly related PRs
Suggested labels
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Remediates the 2026-04-17 compliance audit findings for the .github repo by tightening GitHub Actions SHA pinning, centralizing dependency-audit logic into the org reusable workflow, and adding a CI secret-scanning job.
Changes:
- Converted
dependency-audit.ymlfrom an inline workflow into a thin caller stub that delegates to the org reusable workflow. - SHA-pinned Tier-1 stub workflow
uses:references (claude.yml,agent-shield.yml,dependency-audit.yml). - Added
secret-scanCI job usinggitleaks/gitleaks-actionwith full-history checkout.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| .github/workflows/dependency-audit.yml | Replaced inline audit implementation with reusable-workflow caller and added “thin stub” header block. |
| .github/workflows/claude.yml | Pinned reusable workflow reference from branch/tag to commit SHA. |
| .github/workflows/ci.yml | Added secret-scan job running gitleaks with fetch-depth: 0. |
| .github/workflows/agent-shield.yml | Pinned reusable workflow reference from tag to commit SHA. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Outdated review (superseded by re-review at
|
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
![petry-projects-pr-review-agent[bot]](https://avatars.githubusercontent.com/u/258516906?s=60&v=4){kind=small}
|
Auto-rebase blocked — the base branch contains Please rebase this branch manually: |
donpetry-bot
left a comment
donpetry-bot
left a comment
There was a problem hiding this comment.
Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.
|
@claude Please address all open review comments on this PR from CodeRabbit and Copilot. |
|
Claude finished @don-petry's task in 4m 4s —— View job Addressing open review comments
What was fixedCommitted to
Two items require manual fixes (workflow file permission limitation)The GitHub App token used by Claude does not have the 1. # Before (wrong):
# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'
# After (correct):
# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v6.0.2 --jq '.object.sha'2. # Before (wrong):
# Standard: petry-projects/.github/standards/ci-standards.md#5-dependency-audit-dependency-auditym
# After (correct):
# Standard: petry-projects/.github/standards/ci-standards.md#6-dependency-audit-dependency-auditymlBoth are cosmetic comment fixes. They can be applied in a follow-up commit by anyone with the |
…anchor Address Copilot review comments on PR #147: - standards/workflows/{dependency-audit,claude,agent-shield}.yml: SHA-pin the reusable workflow `uses:` references to match what the actual `.github/workflows/` stubs already do (ae9709f = v1). The Action Pinning Policy applies to reusable workflow refs, not just third-party actions. - standards/workflows/dependency-audit.yml: fix the "Standard:" anchor from the broken `#5-...dependency-auditym` to the correct `#6-dependency-audit-dependency-audityml`. - standards/ci-standards.md: update the Tier 1 table to show `@<SHA> # v1` instead of `@v1`, and rewrite the "Why pin?" rationale to explain that SHA pinning is required per policy while the version comment preserves human readability. Two items in .github/workflows/ files require `workflows` permission and must be fixed manually: - ci.yml:107 — "Look up current SHA" comment cites refs/tags/v4, should be refs/tags/v6.0.2 - dependency-audit.yml:3 — same broken anchor as fixed in the template Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
|
@claude This PR has 5 unresolved Copilot review threads from 2026-04-17 (predating the
Note: this PR may be largely superseded by #216 + #217 — feel free to close it as obsolete if all of its findings are already addressed there. Generated by Claude Code |
|
Claude finished @don-petry's task in 5m 8s —— View job Addressing open review threads + rebasing onto
|
…anchor Address Copilot review comments on PR #147: - standards/workflows/{dependency-audit,claude,agent-shield}.yml: SHA-pin the reusable workflow `uses:` references to match what the actual `.github/workflows/` stubs already do (ae9709f = v1). The Action Pinning Policy applies to reusable workflow refs, not just third-party actions. - standards/workflows/dependency-audit.yml: fix the "Standard:" anchor from the broken `#5-...dependency-auditym` to the correct `#6-dependency-audit-dependency-audityml`. - standards/ci-standards.md: update the Tier 1 table to show `@<SHA> # v1` instead of `@v1`, and rewrite the "Why pin?" rationale to explain that SHA pinning is required per policy while the version comment preserves human readability. Two items in .github/workflows/ files require `workflows` permission and must be fixed manually: - ci.yml:107 — "Look up current SHA" comment cites refs/tags/v4, should be refs/tags/v6.0.2 - dependency-audit.yml:3 — same broken anchor as fixed in the template Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
don-petry
force-pushed
the
claude/issue-146-20260417-1337
branch
from
c6fb9fb to
d823b31
Compare
|
donpetry-bot
left a comment
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: 2842908b741ebab9896c4a7e444cf7667c8ca7c5
Cascade: triage → deep (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7)
Summary
All seven compliance findings from the 2026-04-17 audit are addressed: SHA pins for three reusable workflow stubs are correct (ae9709f = v1, previously verified), the gitleaks CLI install follows a sound download-checksum-verify pattern (cb49b7de SHA256 verified against official release), and standards templates are reconciled. Two Copilot threads remain open only because the GitHub App token lacks the 'workflows' permission — both are cosmetic comment fixes (wrong tag in a lookup-SHA comment, a broken section anchor) with no functional or security impact. CI is green on CodeQL and CodeRabbit; the SonarCloud Security Hotspot on the curl+tar install pattern is properly mitigated by the SHA256 checksum step and was vetted in the prior review. The head merge commit (2842908) is a clean github-actions merge of main; the diff shows no unexpected changes beyond the PR's intended seven files.
Findings
- minor: ci.yml:107 — the 'Look up current SHA' comment references 'refs/tags/v4' but the action is pinned to v6.0.2 (SHA de0fac2e). Cosmetic mismatch; cannot be fixed by Claude App token (no 'workflows' permission). Should be corrected in a follow-up commit by someone with that permission.
- minor: dependency-audit.yml:3 — header anchor '#5-dependency-audit-dependency-auditym' is stale; the correct anchor is '#6-dependency-audit-dependency-audityml'. Already fixed in standards/workflows/dependency-audit.yml; cannot be fixed in .github/workflows/ without 'workflows' permission.
- info: Reusable workflow SHA ae9709f verified (annotated tag v1) across agent-shield.yml, claude.yml, and dependency-audit.yml. Standards templates reconciled to match.
- info: Gitleaks v8.24.0 SHA256 cb49b7de5ee986510fe8666ca0273a6cc15eb82571f2f14832c9e8920751f3a4 verified against official release (asset ID 230829272). Download-verify-execute pattern is correctly implemented with sha256sum -c check before extraction.
- info: secret-scan job permissions are minimal: contents: read only. No write permissions, no token exposure in run steps.
- info: SonarCloud Quality Gate failed with 1 Security Hotspot on the curl+tar binary download pattern. Properly mitigated by SHA256 checksum verification; recommend reviewing and marking 'Safe' in SonarCloud dashboard.
- info: standards/workflows/claude.yml intentionally retains @v1 (not SHA-pinned): SHA-pinning the claude.yml reusable ref breaks Anthropic OIDC token exchange (401 Unauthorized). Exemption is documented in both the template header and ci-standards.md Tier-1 table.
- info: Head commit 2842908 is a clean merge commit (github-actions[bot], 2026-05-13) bringing in current main. Diff is consistent with the PR's seven intended files; no unexpected changes introduced.
Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review.
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Claude rebase agent — unable to complete rebase The automated rebase for PR #147 ( Issue 1: Environment permission constraints — The Issue 2: Unresolvable structural conflict — Even if git operations were available,
This is an architectural conflict (stub vs inline), not just a version difference in action pins. Automatic resolution would require a judgment call beyond the rebase policy rules. Conflicts identified:
Please resolve the |
Auto-rebase: Unable to Complete — Permission ErrorThe automated rebase workflow was invoked for this PR but could not complete because the Claude Code session does not have permission to execute the required git operations ( What was foundThe PR branch (
All conflicts are in Manual resolution stepsgit fetch origin
git checkout claude/issue-146-20260417-1337
git rebase origin/main
# For each conflict in .github/workflows/*.yml:
# - If conflict is a uses: SHA pin, keep the higher/newer version
# - For structural conflicts (dependency-audit.yml), keep the PR's thin-caller version
git add <resolved-file(s)>
git rebase --continue
git push --force-with-leaseConflict resolution guidance
Auto-rebase could not run: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Auto-rebase: conflicts could not be resolved automaticallyThe auto-rebase workflow attempted to rebase Files with conflicts
Manual resolution stepsgit fetch origin
git checkout claude/issue-146-20260417-1337
git rebase origin/main
# For each conflicted file, open it, review the conflict markers, and resolve:
# <<<<< HEAD (your PR branch changes)
# =====
# >>>>> origin/main (what main has)
# Recommended resolution guidance:
# .github/workflows/ci.yml — prefer the PR branch's curl-based gitleaks install
# (it removed the env:-section SHA that triggers SonarCloud hotspots)
# .github/workflows/dependency-audit.yml — prefer the PR branch's thin-stub pattern;
# main's inline copy is superseded by the reusable
# standards/ci-standards.md — merge manually: keep the SHA-pinning clarifications
# from the PR branch; incorporate any new text from main
git add .github/workflows/ci.yml \
.github/workflows/dependency-audit.yml \
standards/ci-standards.md
git rebase --continue
git push --force-with-leaseOnce pushed, re-request review and the CI checks will re-run on the updated branch. |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
Superseded by automated re-review at
|
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
donpetry-bot
left a comment
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: ff18116ec0694035236dd5014e0968c32175c7e7
Review mode: triage-approved (single reviewer)
Summary
Compliance remediation for issue #146: converts four GitHub Actions reusable-workflow references from mutable refs to immutable 40-char SHA pins, and replaces the inline dependency-audit workflow with the canonical thin-caller stub (net -185 lines). Verified every pin via the GitHub API: .github/workflows/agent-shield.yml@376a4fcb resolves to tag agent-shield/v2.0.0 (comment '# v2' accurate); .github/workflows/dependency-audit.yml@d3d768da resolves to tag v1 (comment '# v1' accurate). Both standards-template pins (ae9709f) resolve to real commits where agent-shield-reusable.yml and dependency-audit-reusable.yml are present. This is a genuine supply-chain hardening change with no security regression.
Linked issue analysis
Closes #146 (2026-04-17 compliance audit). The diff substantively addresses the workflow-level SHA-pinning findings: agent-shield and dependency-audit reusable references (active + standards templates) are now SHA-pinned, and the unpinned dtolnay/rust-toolchain@stable reference is eliminated by delegating to the centralized reusable. The audit's API-applied settings (CodeQL default setup, allow_auto_merge, delete_branch_on_merge) and the not-actionable GHAS-plan items are out of scope for the diff, consistent with the PR description.
Findings
Info
- [info] (supply-chain / docs) —
standards/workflows/agent-shield.ymlandstandards/workflows/dependency-audit.ymlpin their reusables toae9709f4...with a# v1comment. Thev1tag has since moved tod3d768da, so the# v1label is now stale. This is cosmetic only: the SHA pin is immutable, both reusable files exist atae9709f4, and the reference resolves correctly for downstream adopters. No action required to merge; consider refreshing the comment (or repinning to the currentv1) in a future template-sync pass. - [info] (consistency) — Active workflows track newer pins (agent-shield v2 / dependency-audit v1) than the standards templates (both v1). Intentional and acceptable; flagged only for awareness.
CI status
All required checks green: Lint, ShellCheck, actionlint/Agent Security Scan, CodeQL/Analyze, Secret scan (gitleaks), agent-shield, dependency-audit (Detect ecosystems SUCCESS; per-ecosystem jobs correctly SKIPPED with no matching lockfiles), SonarCloud Quality Gate passed (0 new issues). No CHANGES_REQUESTED reviews; no unresolved review threads (verified via GraphQL); mergeable. Head SHA ff18116 matches the reviewed commit.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
- Pin agent-shield.yml reusable to SHA (v2 → SHA#v2, v1 → SHA#v1) - Replace gitleaks-action with gitleaks CLI to avoid org license requirement - Convert dependency-audit.yml to thin caller stub using reusable workflow - Fix dependency-audit standard anchor URL (#5 → #6) Closes #146 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Dev-Lead — rebase (applied)Rebase completed and pushed. |
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/dependency-audit.yml:
- Line 3: The dependency audit workflow header references the wrong standards
anchor, so update the upstream template source used to generate
dependency-audit.yml rather than editing this stub directly. Fix the anchor in
the template for the dependency audit section so it points to the `### 7.
Dependency Audit` target, then sync/regenerate this workflow copy through the
normal template update process to keep the generated file consistent.
In `@standards/workflows/dependency-audit.yml`:
- Line 3: The Dependency Audit standard reference in dependency-audit.yml is
pointing to the wrong section anchor. Update the existing standards comment near
the top of the workflow template to use the correct section 7 anchor for
Dependency Audit, and keep the rest of the template unchanged since files under
standards/workflows/ must be copied verbatim; use the dependency-audit.yml
header comment as the location and preserve the exact standard-document
reference format.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 99c80ba1-26a7-4046-9d13-b2368dac941d
📒 Files selected for processing (2)
.github/workflows/dependency-audit.ymlstandards/workflows/dependency-audit.yml
Dev-Lead — fix-reviews (applied)Changes committed and pushed. |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
donpetry-bot
left a comment
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 03007c3d06c5b76ea73ba2f8b1f812c716419227
Review mode: triage-approved (single reviewer)
Summary
Confirms triage assessment. The current head diff is small and self-contained: dependency-audit.yml is converted from a 200-line inline implementation into a thin caller stub delegating to the org reusable dependency-audit-reusable.yml, and standards/workflows/dependency-audit.yml gets a one-line doc-anchor fix (#5 -> #7). This matches the documented org pattern (these workflows are thin caller stubs per AGENTS.md) and is a net security improvement: it removes the previously-unpinned dtolnay/rust-toolchain@stable reference by centralizing audit logic. The reusable ref is SHA-pinned and the pin is verified correct.
Linked issue analysis
Part of #146 compliance remediation. CodeRabbit's pre-merge 'Linked Issues check' warns that this PR alone does not cover every #146 requirement (secret-scan, CodeQL, repo settings) — but those items were applied via separate commits/API and the remaining diff is the dependency-audit slice. The change is a substantive, self-consistent piece of the #146 work.
Findings
No blocking findings.
Info
- (supply-chain) Reusable workflow pin verified:
dependency-audit-reusable.yml@d3d768dabb7f28cc63283cdfe48630da53700e50 # v1. GitHub API confirms tagv1points exactly to this commit, the commit exists, and the reusable workflow file is present at that SHA. Comment label is accurate. - (operational) Required status check job name is
dependency-audit / Detect ecosystems(matches statusCheckRollup and the stub header note). Branch protection should track this name. - (permissions) Stub declares minimal
contents: readpermissions; no token exposure. - (maintainability) All prior Copilot/CodeRabbit review threads are resolved and outdated; prior pr-review-agent verdict was APPROVED.
CI status
All checks green. Notable SUCCESS: Lint, ShellCheck, Analyze (actions)/CodeQL, Agent Security Scan, agent-shield, Secret scan (gitleaks), SonarCloud (Quality Gate passed, 0 new issues), dependency-audit / Detect ecosystems + npm audit. Ecosystem-specific jobs (pnpm, govulncheck, cargo, pip-audit) correctly SKIPPED (no matching ecosystems). dependabot-automerge and dev-lead/ci-relay SKIPPED (not applicable). mergeStateStatus BLOCKED only because reviewDecision is REVIEW_REQUIRED — resolved by this approval.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
|
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
donpetry-bot
left a comment
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: e388e4c52e516a493b6f596e12c58fa9523707e3
Review mode: triage-approved (single reviewer)
Summary
Converts .github/workflows/dependency-audit.yml to the org-canonical thin caller stub that invokes the SHA-pinned reusable dependency-audit-reusable.yml@d3d768d (v1), removing ~200 lines of inline logic (including the previously-unpinned dtolnay/rust-toolchain@stable). Also fixes a stale doc-anchor reference in standards/workflows/dependency-audit.yml. Net diff is +20/-205 across 2 files.
Linked issue analysis
Closes #146 (2026-04-17 compliance audit). This PR delivers the dependency-audit remediation: replacing the inline workflow with the canonical thin caller eliminates the unpinned rust-toolchain reference flagged by the audit. Per the PR description, the remaining audit findings (claude.yml / agent-shield.yml SHA pins, ci.yml secret-scan job, and the CodeQL / allow_auto_merge / delete_branch_on_merge settings) were landed separately or applied via repo settings — consistent with the small net diff here against an up-to-date main.
Findings
No blocking findings.
- SHA pin verified:
d3d768dabb7f28cc63283cdfe48630da53700e50is a real commit in petry-projects/.github (2026-05-13); thev1tag points exactly to it; the reusable workflow exists at that ref. The# v1comment is accurate. - Thin caller stub matches AGENTS.md standards (verbatim adoption; trigger events / job name preserved as required status checks).
- Doc-anchor fix in standards/workflows/dependency-audit.yml is cosmetic (corrects ci-standards.md section reference).
- Secret scanning: gitleaks CI check passed; run_secret_scanning MCP tool not exposed in this run (noted, non-blocking).
CI status
All checks green. Notable: dependency-audit / Detect ecosystems SUCCESS and npm audit SUCCESS (confirms the new reusable wiring works); cargo/govulncheck/pip-audit/pnpm sub-jobs correctly SKIPPED (no such ecosystems). CodeQL, Lint, ShellCheck, Secret scan (gitleaks), Agent Security Scan, AgentShield, SonarCloud, CodeRabbit all pass. mergeStateStatus is BLOCKED only pending required-check/branch-protection gating; reviewDecision is APPROVED with no unresolved threads.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
donpetry-bot
left a comment
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 2311d087e3db91d10ba9172a2d0130c8251d0efd
Review mode: triage-approved (single reviewer)
Summary
Net change vs main is two files: .github/workflows/dependency-audit.yml is converted from a 205-line inline multi-ecosystem workflow into a thin caller stub that invokes the org reusable dependency-audit-reusable.yml pinned to SHA d3d768d (= tag v1), and standards/workflows/dependency-audit.yml gets a one-line doc-anchor fix (#5-…auditym → #7-…audityml). This removes the previously unpinned dtolnay/rust-toolchain@stable reference and centralizes audit logic, satisfying the SHA-pinning compliance findings from issue #146. Head (2311d08) is a clean merge-from-main on top of the last cascade-approved SHA (e388e4c); the only delta since approval is an unrelated docs merge to ci-standards.md.
Linked issue analysis
Closes #146 (2026-04-17 compliance audit). The dependency-audit remediation is the remaining net change on this branch; the other audit items (claude.yml / agent-shield.yml SHA pins, ci.yml secret-scan job, CodeQL default setup, allow_auto_merge, delete_branch_on_merge) already landed on main via prior merges and no longer appear in the diff. The remaining file changes substantively address the dependency-audit portion of the issue.
Findings
No blocking issues.
- Verified: pinned reusable SHA
d3d768dabb7f28cc63283cdfe48630da53700e50resolves in petry-projects/.github and matches tagv1; the reusable file exists at that ref and the# v1label is accurate. Pin is to a real first-party release (good). - All 7 prior review threads (Copilot + CodeRabbit) are resolved/outdated.
- (Non-blocking, awareness) Ref-style drift: the canonical template
standards/workflows/dependency-audit.ymlnow invokes the reusable via the moving channel@dependency-audit/stable(currently → 376a4fc = v2), whereas this deployed stub SHA-pins@d3d768d(v1). So the stub is both a different ref style and one version behind the template's channel. This exact template-vs-stub divergence was previously raised by Copilot and resolved by the maintainer (SHA pinning is the stricter choice the compliance audit demanded), so it is accepted — but a future template-sync should re-align the stub to the channel ref or bump the pin to the v2 SHA. - Secret scan: the
mcp__github__run_secret_scanningMCP tool is not exposed in this environment; relied on the green gitleaks CI check. The diff is workflow-YAML removal with no secret material.
CI status
All required checks green or appropriately skipped: Lint, ShellCheck, Analyze (actions), CodeQL, SonarCloud, agent-shield/AgentShield, Agent Security Scan, Secret scan (gitleaks), dependency-audit (Detect ecosystems + npm audit) all SUCCESS; language-specific audit jobs and dependabot/ci-relay SKIPPED as expected. reviewDecision=APPROVED. mergeStateStatus=BLOCKED reflects branch-protection gating, not a failing check (mergeable=MERGEABLE).
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Summary
Addresses all 7 compliance findings for the
.githubrepository from the 2026-04-17 audit (issue #146).SHA Pinning (3 error findings fixed)
claude.yml: pinned reusable workflow reference from@main→ SHA (ae9709f...= v1)agent-shield.yml: pinned reusable workflow reference from@v1tag → SHAdependency-audit.yml: replaced full inline workflow with canonical thin caller stub perstandards/workflows/dependency-audit.ymltemplate — this eliminates the unpinneddtolnay/rust-toolchain@stablereference (logic now lives in the centralized reusable)Secret Scan CI Job (1 error finding fixed)
ci.yml: addedsecret-scanjob usinggitleaks/gitleaks-action@ff98106...(v2.3.9) with full-history checkout perstandards/push-protection.mdtemplateAPI-Applied Settings (3 findings fixed directly)
codeql-default-setup-not-configured) — triggered run #24189208962allow_auto_merge=trueapplied (allow_auto_mergewarning)delete_branch_on_merge=trueapplied (delete_branch_on_mergewarning)Not Actionable
security_and_analysis_unavailable(2 warnings) — GitHub Advanced Security features require an org plan upgrade; not addressable at the workflow levelTest plan
allow_auto_mergeanddelete_branch_on_mergeenabled.githubrepoCloses #146
Generated with Claude Code
Summary by CodeRabbit