fix: replace standalone dependency-audit.yml with org standard thin caller stub#217
Open
don-petry wants to merge 45 commits into
Open
fix: replace standalone dependency-audit.yml with org standard thin caller stub#217don-petry wants to merge 45 commits into
don-petry wants to merge 45 commits into
Conversation
|
Warning Review limit reached
More reviews will be available in 18 minutes and 49 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (4)
📝 WalkthroughWalkthroughThe dependency-audit workflow is reduced to a thin caller that delegates auditing to a reusable org-level workflow. The standards reference is updated to a new anchor, and the reusable workflow reference is pinned to a commit SHA. ChangesWorkflow Delegation Pattern
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
Author
|
CI is green on all primary checks. @petry-projects/org-leads — this PR is ready for review and merge. It resolves the long-standing compliance finding by replacing the out-of-date standalone |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/dependency-audit.yml:
- Around line 32-33: Update the reusable workflow reference for the
dependency-audit job so it uses the exact commit SHA instead of the floating
tag; locate the "dependency-audit" job and replace the uses:
petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1
reference with the corresponding commit SHA (the one resolved via the GitHub
API, e.g., 0cb4bba11d7563bf197ad805f12fb8639e4879e4) — make this change first in
the upstream template (petry-projects/.github) and then sync the updated file
into this repository so the workflow here points to the pinned SHA.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 623a0528-780e-499d-b8d0-38650618d3cb
📒 Files selected for processing (1)
.github/workflows/dependency-audit.yml
Contributor
There was a problem hiding this comment.
Pull request overview
Migrates the repository’s dependency-audit.yml from a standalone, inline implementation to the org-standard thin caller stub that delegates to the centralized reusable workflow, removing the previously unpinned third-party Rust toolchain action from this repo-level workflow.
Changes:
- Replaced the standalone multi-ecosystem audit workflow with the org-standard thin caller stub.
- Delegated execution to
petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Closed
Contributor
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
This was referenced May 10, 2026
Closed
don-petry
force-pushed
the
claude/issue-106-20260508-1732
branch
from
e197456 to
f2da3f4
Compare
This was referenced May 13, 2026
Closed
Closed
Contributor
Superseded by automated re-review at
|
Closed
Contributor
Author
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Contributor
Author
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
don-petry
force-pushed
the
claude/issue-106-20260508-1732
branch
from
1ecc69b to
7dd04ca
Compare
Contributor
Author
Auto-rebase complete ✓The PR branch has been successfully rebased onto `main`. Conflict resolutionFile: `.github/workflows/dependency-audit.yml`
Resolution: Kept the PR branch version (thin caller stub). The only difference between main and the PR's base was a SHA pin for `dtolnay/rust-toolchain@stable` → `@29eef336...`. Since the PR replaces the entire standalone workflow with the org-standard thin stub (which delegates all logic — including Rust toolchain setup — to the centrally-maintained reusable), the standalone workflow's pin update is superseded by the PR's change. This falls under the action-pin conflict resolution rule: the PR's approach is the correct one per org standards. New HEAD``` Parent: `761dd4a` (current `main` tip — fix: disable check-suite auto-trigger for Claude and CodeRabbit on .github (#275))
|
Contributor
Author
Dev-Lead Fix CI — failedPR: #217 | SHA: |
Contributor
Author
Dev-Lead Fix CI — failedPR: #217 | SHA: |
Contributor
Author
Dev-Lead Fix CI — exhaustedThis PR has had 2 consecutive engine failures (timeouts or errors). Automated CI fixing has been paused to avoid consuming further tokens. Reason for last failure: Engine invocation failed (exit 1) To re-enable, delete this comment or push a new commit with a substantially different change. |
|
Contributor
Author
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Contributor
Author
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Contributor
Author
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Contributor
Author
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
…#154) * fix: correct reusable workflow path in claude.yml and agent-shield.yml The workflow references were using an incorrect path with duplicate '.github/' segment: 'petry-projects/.github/.github/workflows/...' This caused failures in all child repos trying to call these reusables because GitHub Actions couldn't find the workflow at that path. Corrected to: 'petry-projects/.github/workflows/...' This fix will resolve failing compliance PRs across markets, ContentTwin, TalkTerm, and bmad-bgreat-suite that pinned these workflows. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * feat: add compliance audit check for reusable workflow path syntax Adds validation to catch the duplicate .github/ segment issue in reusable workflow references: - BROKEN: uses: petry-projects/.github/.github/workflows/... - CORRECT: uses: petry-projects/.github/workflows/... This check will flag any workflow that incorrectly references reusable workflows from the org .github repository with the doubled path segment. This prevents future auto-generated compliance PRs from seeding the broken path syntax across all org repositories. Resolves the root cause of widespread CI failures in compliance PRs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
* fix(claude-ci-fix): resolve PR via API when check_run payload is empty
- Remove pull_requests[0] != null guard from if condition; GitHub
frequently omits this array in check_run webhook payloads for
external checks (SonarCloud, CodeQL, etc.)
- Add Resolve PR number step that falls back to the commits/{sha}/pulls
API when the payload's pull_requests array is empty
- Fix self-exclusion name filter: was 'claude-code / claude' (wrong
case); actual check run names start with 'Claude Code'
- Fix concurrency key: was referencing pull_requests[0].number which
is null when payload is empty; now uses head_sha
* docs: add claude-ci-fix to standard and compliance audit
- Document the third job (claude-ci-fix) in ci-standards.md section 4:
update jobs list, triggers example, and checkout requirement note
- Extend check_claude_workflow_checkout() to also verify the check_run
trigger is present — without it claude-ci-fix can never fire
…m SHA pinning (#159) Resolve OIDC immutability constraint and exempt claude.yml from agent modifications - Document OIDC byte-for-byte validation requirement for .github/workflows/claude.yml - Add paths-ignore guard to prevent PR triggers on claude.yml-only changes - Create machine-readable exemption list (standards/workflow-exemptions.json) - Update agent-standards.md to reference exemption policy - Fix YAML linting error in auto-rebase.yml (missing EOF newline) Fixes all CodeRabbit review comments and unblocks 6 downstream auto-rebase pinning PRs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…refs fix: restore double .github path in reusable workflow refs Commit 956b396 incorrectly "fixed" the reusable workflow uses: paths by removing the second .github segment. The correct format for calling a reusable in the org's .github repo is: petry-projects/.github/.github/workflows/<file>.yml@<ref> where the first .github is the repo name and the second .github/workflows/ is the path within that repo. The "fix" broke both agent-shield.yml and claude.yml — all runs since April 21 have failed with 0 jobs (workflow file issue) in 0 seconds. Reverts the uses: lines to the pre-956b396 values. The standards/workflows/ templates and compliance-audit.sh already document the double .github as correct and expected. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
The pull_request_review_comment condition previously required OWNER/MEMBER/COLLABORATOR author_association, which excluded both bots. Adds coderabbitai[bot] and Copilot as allowed senders so Claude automatically addresses their inline findings. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: make pr-review-mention an org standard with reusable workflow - Extract all logic from pr-review-mention.yml into pr-review-mention-reusable.yml (org single source of truth) - Slim pr-review-mention.yml down to a thin caller stub (local ref pattern, matching auto-rebase.yml) - Add standards/workflows/pr-review-mention.yml canonical template for other repos (@v1 reference) - Add pr-review-mention.yml to REQUIRED_WORKFLOWS and centralized stub checks in compliance-audit.sh - Document in ci-standards.md: template table, required-workflow count (6→7), and §10 with full spec - Add scripts/deploy-standard-workflows.sh to push standard stubs to all org repos in one command Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix: remove unused counter vars (SC2034), add trailing newline to codeowners-standard Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix: address Gemini review comments on deploy-standard-workflows.sh - Fix claude.yml compliance check: derive uses: from template (not stem-reusable heuristic), so the claude→claude-code-reusable name exception is handled automatically - Combine two API calls (SHA + content) into one fetch_existing call with tab-split output - Fix base64 portability: try -w 0 (GNU), fall back to -b 0 (BSD/macOS) - Increase repo list limit to 500 for larger orgs - Remove unused counter variables (already fixed in prior commit; this replaces the old approach) Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix: address Copilot review comments - Declare GH_PAT_WORKFLOWS in workflow_call secrets block (matching other reusables) - Clarify fork-PR guard docs: only review_requested path excludes forks; comment triggers are base-repo-only by GitHub's event model, protected by trust check - Fix 'SHA' → 'tag' in standards/workflows/pr-review-mention.yml header comment - Add --no-archived to gh repo list in deploy script - Switch --field to --raw-field for content/sha/message to avoid form-encoding issues with base64's + and / characters Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
… to bot allow list (#238) * fix(claude): add copilot-pull-request-reviewer and gemini-code-assist to bot allow list The pull_request_review_comment condition allowed coderabbitai[bot] and Copilot but missed two other active review bots: - copilot-pull-request-reviewer[bot]: GitHub Copilot PR review app - gemini-code-assist[bot]: Google Gemini code review app Both are installed org-wide and regularly leave actionable review comments that Claude should respond to. Without these entries their comments caused the 'claude' job to be skipped every time. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(claude): guard bot allow list against fork PRs Per security review: bot logins have author_association 'NONE', so the new allow list could allow secrets-bearing runs triggered by bot comments on fork PRs. Add a same-repo guard so bot-triggered reviews only fire when the PR head is within the same repo. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(claude-ci-fix): correct self-loop guard and add fork PR trust gate - Fix self-loop: check run names for reusable workflows are prefixed by the calling job name (e.g. 'claude-code / claude-ci-fix'), not by the workflow display name 'Claude Code'; switch to startsWith 'claude-code / ' - Add fork PR trust gate in Resolve PR number step: verify head.repo matches target repo before running Claude with privileged credentials Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…(18 fixes, 17 new tests) (#85) * test(feature-ideation): extract bash to scripts, add schema + 92 bats tests Refactors the reusable feature-ideation workflow's parsing surface from an inline 600-line YAML heredoc into testable scripts with deterministic contracts. Every defect that previously required post-merge review can now fail in CI before adopters notice. Why --- The prior reusable workflow used `2>/dev/null || echo '[]'` for every gh / GraphQL call, which silently downgraded auth failures, rate limits, network outages, and GraphQL schema drift to empty arrays. The pipeline would "succeed" while producing useless signals — and Mary's Discussion posts would silently degrade across every BMAD repo on the org. The prompt also instructed Mary to "use fuzzy matching" against existing Ideas Discussions in her head, which is non-deterministic and untestable. Risk register (probability × impact, scale 1–9): R1=9 swallow-all-errors gh wrapper R2=6 literal $() inside YAML direct prompt R3=6 no signals.json schema R4=6 jq --argjson crash on empty input R5=6 fuzzy match in Mary's prompt → duplicate Discussions R6=6 retry idempotency hole R7=6 GraphQL errors[]/null data not detected R8=4 GraphQL partial errors silently accepted R10=3 bot filter only catches dependabot/github-actions R11=4 pagination silently truncates What's new ---------- .github/scripts/feature-ideation/ collect-signals.sh Orchestrator (replaces inline heredoc) validate-signals.py JSON Schema 2020-12 validator match-discussions.sh Deterministic Jaccard matcher (kills R5/R6) discussion-mutations.sh create/comment/label wrappers + DRY_RUN mode lint-prompt.sh Catches unescaped $() / ${VAR} in prompt blocks lib/gh-safe.sh Defensive gh wrapper, fails loud on every documented failure mode (kills R1, R7, R8) lib/compose-signals.sh Validates JSON inputs before jq composition lib/filter-bots.sh Extensible bot author filter (kills R10) lib/date-utils.sh Cross-platform date helpers README.md Maintainer docs .github/schemas/signals.schema.json Pinned producer/consumer contract for signals.json (Draft 2020-12). CI rejects any drift; the runtime signals.json is also validated by the workflow before being handed to Mary. .github/workflows/feature-ideation-reusable.yml Rewritten. Adds a self-checkout of petry-projects/.github so the scripts above are available in the runner. Replaces inline bash with collect-signals.sh + validate-signals.py. Adds RUN_DATE / SIGNALS_PATH / PROPOSALS_PATH / MATCH_PLAN_PATH / TOOLING_DIR env vars passed to claude-code-action via env: instead of unescaped shell expansions in the prompt body. Adds dry_run input that flows through to discussion-mutations.sh, which logs every planned action to a JSONL audit log instead of executing — uploaded as the dry-run-log artifact. .github/workflows/feature-ideation-tests.yml New CI gate, path-filtered. Runs shellcheck, lint-prompt, schema fixture validation, and the full bats suite on every PR that touches the feature-ideation surface. standards/workflows/feature-ideation.yml Updated caller stub template. Adds dry_run workflow_dispatch input so adopters get safe smoke-testing for free. Existing TalkTerm caller stub continues to work unchanged (dry_run defaults to false). test/workflows/feature-ideation/ 92 bats tests across 9 suites. 14 GraphQL/REST response fixtures. 5 expected signals.json fixtures (3 valid + 2 INVALID for negative schema testing). Programmable gh PATH stub with single-call and multi-call modes for integration testing. | Suite | Tests | Risks closed | |-----------------------------|------:|--------------------| | gh-safe.bats | 19 | R1, R7, R8 | | compose-signals.bats | 8 | R3, R4 | | filter-bots.bats | 5 | R10 | | date-utils.bats | 7 | R9 | | collect-signals.bats | 14 | R1, R3, R4, R7, R11| | match-discussions.bats | 13 | R5, R6 | | discussion-mutations.bats | 10 | DRY_RUN contract | | lint-prompt.bats | 8 | R2 | | signals-schema.bats | 8 | R3 | | TOTAL | 92 | | Test results: 92 passing, 0 failing, 0 skipped. Run with: bats test/workflows/feature-ideation/ Backwards compatibility ----------------------- The reusable workflow's input surface is unchanged for existing callers (TalkTerm continues to work with no edits). The new dry_run input is optional and defaults to false. Adopters who copy the new standards caller stub get dry_run support automatically. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * test(feature-ideation): use bash -c instead of sh -c in env-extension test CI failure on the previous commit: 91/92 passing, 1 failing. The filter-bots env-extension test used `sh -c` to source filter-bots.sh in a sub-shell with FEATURE_IDEATION_BOT_AUTHORS set. On macOS this works because /bin/sh is bash. On Ubuntu (CI), /bin/sh is dash, which does not support `set -o pipefail`, so sourcing filter-bots.sh produced: sh: 12: set: Illegal option -o pipefail Fixed by switching to `bash -c`. All scripts already use `#!/usr/bin/env bash` shebangs; this is the only place a sub-shell was spawned via `sh`. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(feature-ideation): address Copilot review on PR #85 (11 fixes + 16 tests) Triaged 14 inline comments from Copilot's review of #85; two were already fixed by the tooling_ref→v1 commit, the remaining 11 are addressed here. Critical bug fixes ------------------ 1. lint-prompt.sh now scans claude-code-action v1 `prompt:` blocks in addition to v0 `direct_prompt:`. The reusable workflow uses `prompt:` so the linter was silently allowing R2 regressions on the very file it was supposed to protect. Added two regression tests covering both the v1 form and a clean v1 form passes. 2. add_label_to_discussion now sends labelIds as a proper JSON array via gh_safe_graphql_input (new helper). Previously used `gh -f labelIds=` which sent the literal string `["L_1"]` and the GraphQL API would have rejected the mutation at runtime. Added a test that captures gh's stdin and asserts the variables block contains a length-1 array. 3. validate-signals.py now registers a `date-time` format checker via FormatChecker so the `format: date-time` keyword in signals.schema.json is actually enforced. Draft202012Validator does NOT enforce formats by default, and the default FormatChecker omits date-time entirely. Used an inline checker (datetime.fromisoformat with Z normalisation) to avoid pulling in rfc3339-validator. Added two regression tests: one for an invalid timestamp failing, one for a clean timestamp passing. 4. gh_safe_graphql --jq path no longer swallows jq filter errors with `|| true`. Filter typos / wrong paths now exit non-zero instead of silently returning []. Added a regression test using a deliberately broken filter. 5. collect-signals.sh now computes the open-issue truncation warning BEFORE filter_bots_apply. Previously, a result set composed entirely of bots could drop below ISSUE_LIMIT after filtering and mask real truncation. Added an integration test with all-bot fixtures. 6. match-discussions.sh now validates MATCH_THRESHOLD as a non-negative number in [0, 1] before passing to Python. A typo previously surfaced as an opaque traceback. Added regression tests for non-numeric input, out-of-range input, and boundary values 0 and 1. Cleanup ------- 7. Removed dead bash `normalize_title` / `jaccard_similarity` functions from match-discussions.sh — the actual matching is implemented in the embedded Python block and the bash helpers were never called. 8. Schema $id corrected from petry-projects/TalkTerm/... to the canonical petry-projects/.github location. 9. signals-schema.bats "validator script exists and is executable" test now actually checks the `-x` bit (was only checking `-f` and `-r`). 10. README + filter-bots.sh comments now describe the bot list as a "blocklist" (it removes matching authors) instead of "allowlist". 11. test/workflows/feature-ideation/stubs/gh now logs argv with `printf '%q '` so each invocation is shell-quoted and re-parseable, matching its documentation. Previously logged `$*` which lost arg boundaries. New helper ---------- gh_safe_graphql_input — same defensive contract as gh_safe_graphql, but takes a fully-formed JSON request body via stdin instead of -f/-F flags. Use for mutations whose variables include arrays (e.g. labelIds: [ID!]!) that gh's flag-based interface cannot express. Five new tests cover its happy path and every documented failure mode. Tests ----- Test count: 92 → 108 (16 new regression tests, all green). Run with: bats test/workflows/feature-ideation/ Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(feature-ideation): address CodeRabbit review on PR #85 (7 fixes + 1 test) Triaged 13 inline comments from CodeRabbit's review of #85; 6 of them overlapped with Copilot's review and were already fixed by bcaa579. The remaining 7 are addressed here. Fixes ----- 1. lint-prompt.sh: ${VAR} branch lookbehind was inconsistent with the $(...) branch — only rejected $$VAR but not \${VAR}. Both branches now use [\\$] so backslash-escaped and dollar-escaped forms are skipped uniformly. 2. filter-bots.sh: FEATURE_IDEATION_BOT_AUTHORS CSV entries are now trimmed of leading/trailing whitespace before being added to the blocklist, so "bot1, bot2" matches both bots correctly instead of keeping a literal " bot2" entry. 3. validate-signals.py: malformed signals JSON now exits 2 (file/data error) to match the documented contract, instead of 1 (which means schema validation error). 4. README.md: corrected the workflow filename reference from feature-ideation.yml to feature-ideation-reusable.yml, and reworded the table cell that contained `\|\|` (escaped pipes that don't render correctly in some Markdown engines) to use plain prose. Also noted that lint-prompt scans both v0 `direct_prompt:` and v1 `prompt:`. 5. collect-signals.sh: added an explicit comment above SCHEMA_VERSION documenting the lockstep requirement with signals.schema.json's $comment version annotation. Backed by a new bats test that parses both files and asserts they match. 6. signals.schema.json: added $comment "version: 1.0.0" annotation so the schema file declares its own version explicitly. Used $comment instead of a custom keyword to keep Draft202012 compliance. 7. test/workflows/feature-ideation/match-discussions.bats: build_signals helper now computes the discussions count from the array length instead of hardcoding 0, so the fixture satisfies its own contract (cosmetic — the matcher only reads .items, but contract hygiene matters in test scaffolding). 8. test/workflows/feature-ideation/gh-safe.bats: removed the `|| true` suffix on the rest-failure assertion that made it always pass. Now uses --separate-stderr to capture stderr and asserts the structured `[gh-safe][rest-failure]` prefix is emitted on the auth failure path. Required `bats_require_minimum_version 1.5.0` to suppress the bats-core warning about flag usage. Tests ----- Test count: 108 → 109 (one new test for SCHEMA_VERSION ↔ schema sync). All 109 passing locally. Run with: bats test/workflows/feature-ideation/ Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(feature-ideation): address CodeRabbit re-review on PR #85 (15 fixes + 5 new tests) Critical/major: - collect-signals.sh: validate ISSUE_LIMIT/PR_LIMIT/DISCUSSION_LIMIT are positive integers; tighten REPO validation with strict ^[^/]+/[^/]+$ regex - compose-signals.sh: enforce array type (jq 'type == "array"') not just valid JSON so objects/strings don't silently produce wrong counts - date-utils.sh: guard $# before reading $1 to prevent set -u abort on zero-arg calls - filter-bots.sh: replace unquoted array expansion with IFS=',' read -r -a to prevent pathname-globbing against filesystem entries - gh-safe.sh: bounds-check args[i+1] before --jq dereference; add $# guard to gh_safe_graphql_input() to prevent nounset abort - lint-prompt.sh: recognise YAML chomping modifiers (|-,|+,>-,>+) in prompt_marker regex; replace [^}]* GH-expression stripper with a stateful scanner that handles nested braces; preserve exit-2 over exit-1 in main() - match-discussions.sh: wrap json.load calls in try/except for structured error exit-2 instead of Python traceback; skip discussions without an id; switch from greedy per-proposal to similarity-sorted global optimal matching - validate-signals.py: catch OSError on read_text() to preserve exit-2 contract; add -> bool return type annotation to _check_date_time Docs: - README.md: update lint command to mention both direct_prompt: and prompt:; fix Mary's prompt pointer to feature-ideation-reusable.yml Tests (+5 new, 109 → 114 total): - lint-prompt.bats: missing-file-before-lint-failing-file exits 2; YAML chomping modifiers detected; nested GH expressions don't false-positive - match-discussions.bats: malformed signals JSON exits non-zero; malformed proposals JSON exits non-zero - signals-schema.bats: truncated/malformed JSON exits 2 not 1 - date-utils.bats: use date_today helper instead of raw date -u - stubs/gh: prefer TT_TMP/BATS_TEST_TMPDIR for counter file isolation Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix(feature-ideation): simplify error-envelope check and harden gh stub Collapse the redundant outer+inner jq guard in gh_safe_graphql into the single-expression form already used by gh_safe_graphql_input, making both functions consistent. Add a fail-fast check to the gh stub so that setting GH_STUB_SCRIPT to a nonexistent path produces an immediate error instead of silently falling through to single-call mode and masking test misconfiguration. Add a bats test that pins the new behaviour. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…nses (#245) * feat(claude): add claude-fix-review-comments job for bot review responses Add a dedicated `claude-fix-review-comments` job that automatically processes review comments left by bots (CodeRabbit, Copilot, Gemini). Previously the `claude` job's if-condition allowed these bots but the claude-code-action always exited early ("Trigger result: false") because none of the bots mention `@claude` in their comments. The job fired but did no useful work. Changes: - Remove bot logins from the `claude` interactive-mode job's condition. Human OWNER/MEMBER/COLLABORATOR review comments still trigger that job (they use `@claude` in the comment body to get a response). - Add `claude-fix-review-comments` job that fires on pull_request_review_comment from the whitelisted bots, with a direct prompt that instructs Claude to: 1. Fetch all open review threads via GraphQL (collecting node IDs) 2. Check out the PR branch 3. Address each unresolved thread (applying suggestions, making fixes) 4. Commit and push 5. Resolve each addressed thread via GraphQL resolveReviewThread mutation 6. Wait for CI, fix any failures, repeat 7. Re-check for new threads after each push 8. Post a summary comment when done - Concurrency group per PR number with cancel-in-progress so that a new batch of bot comments cancels a prior run (the new run will address all open threads anyway). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(claude): rebase PR branch onto latest base before addressing review comments Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(claude-fix-review-comments): add allowedTools, fix pagination, guard empty commit - Add claude_args with --allowedTools covering gh pr checkout, gh pr view, gh pr comment, gh pr checks, gh run view/list/watch, gh api, git operations, Edit, and Write — required for every command the prompt issues; without this Claude refuses all Bash tool calls and the automation silently fails. - Bump reviewThreads(first:100) → first:250 (GraphQL max) so threads beyond 100 are not silently dropped on large PRs. - Guard the commit with git diff --cached --quiet to avoid a non-zero exit when there are no staged changes (all threads needed human input); configure git identity beforehand so commits don't fail on unconfigured runners. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Copilot <copilot@github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…ad.yml (#301) Deprecates claude.yml in ci-standards.md and promotes dev-lead.yml as the primary Tier 1 template. Makes §5 fully archival-only (removes links and converts operational instructions to historical reference) per CodeRabbit review feedback.
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...043fb46) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
…#327) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
* docs: document fine-grained token scopes for ORG_SCORECARD_TOKEN * Apply suggestion from @gemini-code-assist[bot] Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * fix(docs): wrap long line to fix markdownlint error --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
…anch not found Race condition: gh pr list may include a PR whose branch has been deleted between the list fetch and the compare call (or a newly-created Dependabot PR whose branch is not yet fully initialised). Previously the script exited with code 1 because set -e propagated the 404 through the unguarded BEHIND=$(gh api …) assignment. Fix: wrap the compare call in if ! …; then … continue; fi so that a failed lookup logs a warning and skips to the next PR instead of aborting the step. Fixes: petry-projects/ContentTwin#232 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…le (#152) * fix(ci): downgrade pnpm/action-setup to v5 in dependency-audit reusable The SHA 08c4be7e (mislabeled # v4) is actually pnpm/action-setup@v6.0.0, which bootstraps with pnpm v11.0.0-rc.0. pnpm v11-rc cannot parse lockfiles generated by pnpm v9 (lockfileVersion '9.0'), causing ERR_PNPM_BROKEN_LOCKFILE in all repos still on pnpm v9. Pinning to action-setup@v5.0.0 (fc06bc1), which installs pnpm via npm directly with no v11 bootstrap, restoring compatibility with pnpm v9. * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
… loop (#220) * feat: add compliance-remediate.sh — close the audit → auto-fix → PR loop Adds `scripts/compliance-remediate.sh` to auto-remediate recurring compliance-audit findings from `findings.json`. Direct API remediations (applied immediately, no PR): - `has_wiki=true` → PATCH has_wiki=false - `allow_auto_merge=false` → PATCH allow_auto_merge=true - `delete_branch_on_merge=false` → PATCH delete_branch_on_merge=true - `has_discussions=false` → PATCH has_discussions=true - `check-suite-auto-trigger-*` → disable for Claude/CodeRabbit app IDs - `missing-label-*` → gh label create with colors/descriptions from standard PR-based remediations (creates branch + PR in target repo): - `missing-codeowners`, `codeowners-empty`, `codeowners-org-leads-not-first`, `codeowners-individual-users`, `codeowners-no-catchall` → generates `.github/CODEOWNERS` with `* @petry-projects/org-leads` per current standard - `unpinned-actions-<file.yml>` → resolves tag → commit SHA (handles annotated vs. lightweight tags), pins all unpinned refs, opens PR Skipped with explanation (for human/agent pickup): - Workflow files, rulesets, dependabot.yml, CLAUDE.md/AGENTS.md, CodeQL default setup, push-protection settings Improvements over prior attempts (claude/issue-35-20260406-0341): - CODEOWNERS generation uses `@petry-projects/org-leads` team (not individual users — forbidden per codeowners-standard.md updated 2026-05-04) - Handles all five CODEOWNERS finding variants, not just `missing-codeowners` - Adds `in-progress` label to the label map (was missing) - Adds check-suite auto-trigger remediation (new audit finding) - Bash 4+ version guard (consistent with apply-repo-settings.sh) Closes #35 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address ShellCheck warnings in compliance-remediate.sh - SC2034: Remove unused CHECK_SUITE_APP_IDS array (app_id extracted from finding check name at runtime, no static list needed) - SC2155: Split local declarations from command-substitution assignments (local branch_name; branch_name="...$(date ...)") - SC2221/SC2222: Move ci-workflows/missing-permissions-* before the more general ci-workflows/missing-* to prevent pattern override Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
* Add multi-agent isolation strategy using git worktrees (#2)
* Add multi-agent isolation strategy using git worktrees
Define org-wide rules for running multiple AI agents concurrently
without conflicts: one worktree per agent, no overlapping file
ownership, tool-specific setup for Claude Code/Copilot/Codex/Cursor,
naming conventions, cleanup, and a pre-launch coordination checklist.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Address review comments: overlap detection, markdown fixes, branch clarity
- Add "Detecting File Overlap" subsection per CodeRabbit suggestion
- Reword origin/HEAD to reference default branch explicitly (Copilot)
- Qualify "name flows into branch" for manual worktrees (Copilot)
- Quote isolation: "worktree" consistently in YAML example (Copilot)
- Add git branch -D fallback for squash/rebase merges (Copilot)
- Fix markdown blank lines and language specifiers (CodeRabbit)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: Dependabot security-only update standards (#9)
Adds org-wide Dependabot security-only update standards: policy doc, dependabot.yml templates for all ecosystems, auto-merge workflow, and dependency-audit CI workflow.
* docs: add GitHub repository settings standards (#10)
* docs: add GitHub repository settings standards
Document the standard org and repo configurations including branch
protection, rulesets, merge settings, required integrations, labels,
and new-repo onboarding checklist.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- Improve merge settings rationale to clarify admin override purpose inline
- Replace vague protect-branches description with specific ruleset details
from the actual GitHub API configuration
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: correct settings values from API audit data
- Fix org default permission to 'write' (not 'read')
- Fix has_projects to 'true' (currently enabled on all repos)
- Fix has_wiki to 'true' (enabled on most repos)
- Fix squash commit message to COMMIT_MESSAGES (not PR body)
- Fix broodly stack label (TypeScript + Go, not Rust)
- Add installed GitHub Apps with dates from API audit
- Add compliance status table showing per-repo deviations
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: apply review feedback — rulesets, settings, and secrets
- Change wiki to disabled, discussions to enabled
- Change squash commit title to PR_TITLE
- Replace classic branch protection with rulesets-first approach
- Strengthen pr-quality ruleset: dismiss stale reviews, require last
push approval, require code owner review
- Abstract required checks into conditional code-quality ruleset
(removes repo-specific names, uses condition-based check mapping)
- Fix GitHub App secrets to reflect org-level inheritance
- Update new-repo checklist and compliance status accordingly
- Add migration note for classic → ruleset transition
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: require 2FA and align label onboarding checklist
- Set two-factor requirement to Required (was Disabled)
- Reference full standard label set in onboarding checklist
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: tighten org permission to read, make labels MUST
- Change default repo permission to 'read' (least privilege)
- Change labels from SHOULD to MUST for consistency with onboarding checklist
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: make all quality checks required on all repos
All five check categories (SonarCloud, CodeQL, Claude Code, CI, Coverage)
are now universally required. Ecosystem-specific configuration varies by
what languages/tools the repo contains — if an ecosystem is present, it
must be configured in the relevant checks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: remove ci-standards.md (belongs in PR #11, not this branch)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: consolidate secrets documentation, add CLAUDE_CODE_OAUTH_TOKEN
- Split secrets into org-level and repo-level sections
- Add CLAUDE_CODE_OAUTH_TOKEN to org secrets table
- Add SONAR_TOKEN and GCP secrets to repo-level table
- Align onboarding note with secrets sections
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: CodeQL rule-based, org-level secrets, remove repo-level section
- CodeQL definition now focuses on rule: all ecosystems must be configured
- Move SONAR_TOKEN to org-level secrets
- Remove repo-level secrets section — all standard CI secrets are org-level
- Simplify onboarding note
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Fix typo in repo-specific secrets note
Correct typo in the note about repo-specific secrets.
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: add CI/CD standards and workflow patterns (#11)
* docs: add CI/CD standards and workflow patterns
Document standard CI configurations across all repos including required
workflows, tech stack patterns, action pinning policy, permissions,
secrets inventory, and a gap analysis of current repo coverage.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address Copilot review feedback on CI standards
- Clarify that only Dependabot workflows have reusable templates;
CI/CodeQL/SonarCloud/Claude are documented as copy-and-adapt patterns
- Fix top-level permissions in CI example to use {} per permissions policy
- Add branches filter to SonarCloud pull_request trigger for consistency
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address CodeRabbit SHA pinning and Go version feedback
- Pin SHAs in SonarCloud, Claude Code, and auto-fix workflow examples
- Clarify that tech stack patterns use tags for illustration only
- Update Go version example to use 'stable' with note about pinning
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: clarify single-job workflow permissions policy
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: refine CI gap analysis and add version inconsistencies
- Mark markets Dependabot config as partial (missing npm ecosystem)
- Mark google-app-scripts auto-merge as older pattern
- Flag non-standard npm limit:10 on google-app-scripts
- Add CodeQL for TalkTerm to missing list
- Add version inconsistency section (SonarCloud, CodeQL, Claude Code)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: align CI standards with universal check requirements
All five quality checks (SonarCloud, CodeQL, Claude, CI, Coverage) are
required on every repo. Updated status table with Coverage column,
prioritized gap remediation list, and version alignment targets.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: CodeQL Friday noon EST, rule-based config, org-level secrets
- Change CodeQL schedule to Friday 12:00 PM EST (cron: 0 17 * * 5)
- Replace repo-specific language matrix with rule: all ecosystems
present in repo must be configured as CodeQL languages
- Move SONAR_TOKEN to org-level secrets
- Replace "Secrets by Repository" with "Organization-Level Secrets
for Standard CI" — all standard secrets are org-inherited
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add weekly compliance audit workflow (#12)
* feat: add weekly compliance audit workflow
Adds automated weekly audit that checks all petry-projects repos
against org standards (CI, Dependabot, settings, labels, rulesets)
and creates/updates/closes issues for each finding.
- Deterministic shell script for reliable, repeatable checks
- Claude Code Action job for standards improvement research
- Issues auto-assigned to Claude for remediation
- Summary notification for org owners
- Idempotent: updates existing issues, closes resolved ones
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address review findings in compliance audit
- Add retry error logging to gh_api helper
- Fix pnpm detection when package.json absent
- Fix empty ecosystem array display
- Replace heredoc with direct assignment for issue body
- Add jq error safety in close_resolved_issues
- Increase repo list limit to 500 with empty check
- Use process substitution instead of pipe subshell
- Add concurrency group and timeout to workflow
- Add timeout-minutes to audit job
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address CodeRabbit and Copilot review comments
- Handle single-job workflows with job-level permissions
- Add has_issues to required settings checks
- Soften CODEOWNERS wording (SHOULD not MUST per standards)
- Remove misleading issues:write from audit job permissions
- Rename repo_count to repos_with_findings for clarity
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: do not auto-close previous summary issues
Per feedback, only humans should close summary/notification
issues. Changed Claude prompt to explicitly not close them.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: run compliance audit every Friday at noon UTC
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: audit .github repo and add CLAUDE.md/AGENTS.md checks (#14)
* feat: audit .github repo and add CLAUDE.md/AGENTS.md checks
- Remove .github repo exclusion — it now gets audited like all
other repos (settings, labels, rulesets, workflows, etc.)
- Add check_claude_md: every repo must have a CLAUDE.md that
references AGENTS.md
- Add check_agents_md: every repo must have an AGENTS.md that
references the org-level .github/AGENTS.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address review comments on CLAUDE.md/AGENTS.md checks
- Point standard_ref to AGENTS.md (the actual source of truth)
- Upgrade missing-ref severities from warning to error (required)
- Tighten AGENTS.md org-ref grep to match .github/AGENTS.md only
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add full CI pipeline for .github repo (#15)
* feat: add full CI pipeline for .github repo
Adds all 6 required workflows per ci-standards.md:
- ci.yml: markdownlint, yamllint, actionlint, shellcheck, AgentShield
- codeql.yml: actions language analysis
- sonarcloud.yml: code quality scanning
- claude.yml: AI-assisted PR review
- dependabot-automerge.yml: auto-merge eligible PRs
- dependency-audit.yml: vulnerability scanning
Also adds:
- .github/dependabot.yml (github-actions ecosystem)
- .markdownlint-cli2.yaml (config for standards docs)
- sonar-project.properties
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: correct markdownlint SHA, use npx for AgentShield, remove duplicate CodeQL
- Fix markdownlint-cli2-action SHA to v9.0.0 (v20 doesn't exist)
- Use npx ecc-agentshield CLI instead of broken GitHub Action
- Remove codeql.yml — repo already has default CodeQL setup enabled
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: relax markdownlint rules, pin actionlint download
- Disable line-length, duplicate-heading, blanks-around-lists,
bare-urls rules — existing docs have many violations; fix
incrementally as separate PRs
- Replace curl|bash with pinned version download for actionlint
(fixes SonarCloud security hotspot)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: break long line in org-scorecard.yml for yamllint
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: make actionlint fail on errors, guard shellcheck glob
- Remove || true from actionlint on our own workflows (fail properly)
- Keep || true only for template workflows (expected placeholder issues)
- Guard shellcheck glob against missing scripts/ directory
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: ignore shellcheck style hints in actionlint
SC2129 (use grouped redirects) is a style suggestion, not a bug.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add SHA256 checksum verification for curl downloads
Addresses SonarCloud security hotspots by verifying checksums
on all binary downloads:
- actionlint 1.7.7 in ci.yml
- scorecard 5.1.1 in org-scorecard.yml
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: enforce MD041, add standards references to all YAML files
- Enable MD041 (first line heading) — all markdown files already comply
- Add header comment to each workflow YAML with purpose and link to
the org standard definition that governs it
- Add header comment to dependabot.yml
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: resolve all markdown lint violations and enable enforced rules (#24)
* fix: resolve all markdown lint violations, enable enforced rules
Enable previously-disabled markdownlint rules:
- MD013 (line length 200, excluding tables/code blocks)
- MD024 (duplicate headings, siblings only)
- MD032 (blanks around lists)
- MD034 (no bare URLs)
Fix 54 violations across 3 files:
- AGENTS.md: wrap 44 long lines, add 6 blank lines around lists,
wrap 3 bare URLs in angle brackets
- standards/ci-standards.md: 1 blank line around list
- standards/dependabot-policy.md: 1 blank line around list
Also add .claude/ and node_modules/ to markdownlint ignore list.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: indent list continuations, correct issue trigger security note
- Fix 7 locations in AGENTS.md where wrapped list items had
unindented continuation lines (breaks Markdown rendering)
- Fix ci-standards.md issue trigger security note: triage role
can also label, and compliance audit uses its own label
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add checkout step to Claude Code standard configuration (#26)
The claude-code-action requires the repository to be checked out before
it can run git operations for issue-triggered branch setup. Without
actions/checkout, issue-triggered runs fail with:
fatal: not a git repository
All org repos have already been updated with this fix.
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add AgentShield CI standard and agent-shield.yml workflow template (#25)
Adds AgentShield as the 7th required CI workflow with org standard and reusable template.
* fix: add agent-shield.yml to required workflows in compliance audit
The audit script's REQUIRED_WORKFLOWS array was not updated when
AgentShield was added as the 7th required workflow. Repos missing
agent-shield.yml will now be flagged as compliance findings.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add claude label to compliance audit issues
Issues need the claude label so the Claude Code workflow picks them
up for auto-remediation. The script was only applying compliance-audit.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: extend compliance audit with CI/automation health survey (#13)
Replaces compliance-audit.yml with compliance-audit-and-improvement.yml,
extending the existing weekly compliance audit with runtime health
telemetry and a forward-looking best practices research phase.
Architecture (3 jobs):
Job 1 — Compliance Audit (unchanged)
Deterministic shell script checking all repos against org standards.
Creates/updates/closes compliance issues per finding.
Job 2 — Health Survey (new)
Collects runtime telemetry across all org repos:
CI run failures (7d), security alerts (Dependabot/secret/code scanning),
PR staleness, branch protection status, workflow inventory.
Job 3 — Analyze & Create Issues (Claude, rewritten)
Six-phase analysis combining both datasets:
1. Load compliance + health data and org standards
2. Correlate and categorize findings by severity
3. Research root causes and automation opportunities
4. Evaluate against industry best practices and emerging capabilities
(agentic guardrails, supply chain integrity, reliability SLOs, etc.)
— outputs only standards proposals, not implementation issues
5. Create issues: repo-specific go in that repo, org-wide in .github,
every issue gets the claude label for agent pickup
6. Summary report to step summary
Issue rules:
- Every issue must have the `claude` label
- Repo-specific issues are created in that repo
- Org-wide and standards proposals go in .github
- Deduplicates against existing open issues
- Max 3 standards-improvement + 3 best-practices proposals per run
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: handle gh api 403/404 responses in health survey
The gh api command with --jq outputs error JSON to stdout on 403/404
before the fallback runs, producing concatenated invalid output like
'{"message":"..."}0'. This broke integer comparisons and jq parsing.
Fix: use if/else on exit code for all gh api calls (security alerts,
branch protection, workflow inventory) instead of `|| echo` fallbacks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add dependabot-rebase workflow standard (#52)
* feat: add dependabot-rebase workflow to unblock auto-merge serialization
When strict status checks require branches to be up-to-date, merging one
Dependabot PR makes others fall behind. Dependabot only rebases on its
weekly schedule, leaving auto-merge stalled. This workflow triggers on
push to main and comments @dependabot rebase on behind PRs, preserving
Dependabot's commit signature for fetch-metadata verification.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use API merge method and add direct merge step
Based on testing in google-app-scripts:
- @dependabot rebase only works from human users, not bots
- API rebase breaks Dependabot ownership; API merge preserves it
- GitHub auto-merge (--auto) fails due to BLOCKED mergeable_state
- Add direct merge step and skip-commit-verification to automerge
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add concurrency group to prevent overlapping runs
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use correct claude-code-action input names
The action accepts `prompt` (not `direct_prompt`) and `claude_args`
(not `timeout_minutes`/`allowed_tools`). The previous inputs were
silently ignored, causing Claude to never run.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore(deps): Bump actions/download-artifact from 4.3.0 to 8.0.1 (#16)
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.3.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/d3f86a106a0bac45b974a628896c90dbdf5c8093...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c)
---
updated-dependencies:
- dependency-name: actions/download-artifact
dependency-version: 8.0.1
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump pnpm/action-setup from 4.1.0 to 5.0.0 (#17)
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 4.1.0 to 5.0.0.
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](https://github.com/pnpm/action-setup/compare/a7487c7e89a18df4991f7f222e4898a00d66ddda...fc06bc1257f339d1d5d8b3a19a8cae5388b55320)
---
updated-dependencies:
- dependency-name: pnpm/action-setup
dependency-version: 5.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#18)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/ea165f8d65b6e75b540449e92b4886f43607fa02...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f)
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: 7.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump actions/setup-go from 5.5.0 to 6.4.0 (#20)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/d35c59abb061a4a6fb18e82ac0862c26744d6ab5...4a3601121dd01d1626a1e23e37211e3254c1c06c)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-version: 6.4.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump actions/checkout from 4.2.2 to 6.0.2 (#21)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4.2.2...de0fac2e4500dabe0009e67214ff5f5447ce83dd)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: 6.0.2
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump actions/setup-node from 4.4.0 to 6.3.0 (#23)
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.4.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v4.4.0...53b83947a5a98c8d113130e565377fae1a50d02f)
---
updated-dependencies:
- dependency-name: actions/setup-node
dependency-version: 6.3.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump anthropics/claude-code-action from 1.0.83 to 1.0.89 (#22)
Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.89.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](https://github.com/anthropics/claude-code-action/compare/v1.0.83...6e2bd52842c65e914eba5c8badd17560bd26b5de)
---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
dependency-version: 1.0.89
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix: remove claude_args causing exit code 1
The --allowedTools and --timeout flags passed via claude_args caused
Claude Code to exit immediately with code 1. Removing claude_args
to use defaults — the job-level timeout (45min) and permissions
(contents:read, issues:write) provide sufficient guardrails.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: split Claude workflow into interactive + issue automation jobs (#54)
* feat: split Claude workflow into interactive + issue automation jobs
The single-job Claude workflow created branches for issue-labeled triggers
but never opened PRs — requiring a human to click through. Split into two
jobs so issue-triggered work runs in automation mode with a prompt that
drives the full lifecycle: implement, create PR, self-review, resolve
comments, check CI, and tag the maintainer.
Updates both the workflow and the ci-standards.md standard definition.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use CODEOWNERS for maintainer tagging instead of hardcoded username
The claude-issue prompt now reads CODEOWNERS at runtime to determine
who to tag when a PR is ready. This removes the need for per-repo
customization of the prompt.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: require GitHub Discussions on all repos (#53)
* feat: require GitHub Discussions on all repos with standard categories
Elevate Discussions from optional community feature to required org standard.
Add Discussions Configuration section defining required categories (Ideas,
General) and automated ideation workflow integration. Promote has_discussions
audit check from warning to error via REQUIRED_SETTINGS_BOOL.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: require feature-ideation workflow for BMAD Method repos
Add bmad-method ecosystem detection (looks for _bmad/ directory) and
conditionally require feature-ideation.yml workflow. Add CI Standards
section 8 documenting the conditional workflow. Update ecosystem table
in github-settings.md to include bmad-method.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address review comments — severity levels and requirement language
- Extend REQUIRED_SETTINGS_BOOL tuple format to include per-entry severity
(key:expected:severity:detail) instead of hardcoding all as warning
- Set has_discussions and has_issues to error severity; others remain warning
- Change feature-ideation.yml finding from warning to error for BMAD repos
- Change SHOULD to MUST for BMAD ideation workflow requirement in standards
Addresses CodeRabbit and Copilot review comments on PR #53.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: grant claude-issue job tools to create PRs and check CI (#55)
The claude-issue job had no access to `gh` CLI or file editing tools,
so Claude could implement and push but never actually open a PR.
Added --allowedTools for gh pr create/view, gh run view/watch, cat,
Edit, and Write so the automation prompt can execute end-to-end.
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add apply-repo-settings.sh to remediate compliance findings (#56)
Adds `scripts/apply-repo-settings.sh`, a companion to `compliance-audit.sh`
that applies all standard repository settings defined in
`standards/github-settings.md#repository-settings--standard-defaults`.
Addresses the `allow_auto_merge` compliance finding (issue #42) and any
other boolean/merge-config drift across org repos.
Usage (after merging, run with an admin token):
GH_TOKEN=<admin-token> ./scripts/apply-repo-settings.sh .github
GH_TOKEN=<admin-token> ./scripts/apply-repo-settings.sh --all
Closes #42
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: add concurrency guard and comment tools to claude-issue job
- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools so Claude can
post review replies, resolve threads, and tag code owners
- Remove Bash(cat:*) since the Read tool already covers file reads
Addresses review feedback from CodeRabbit and Copilot across org PRs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add GH_TOKEN preflight check to compliance-audit.sh (#60)
Adds an early-exit preflight check at the top of main() that:
1. Fails fast with a clear error if GH_TOKEN is unset
2. Runs gh auth status to verify the token is valid before proceeding
Previously, auth failures manifested deep in the script as cryptic
gh CLI errors rather than a clear authentication failure.
Note: the step-level GH_TOKEN env var in the workflow also needs
to be added manually (cannot be done here due to workflow permissions).
See issue #30 for the required one-line workflow change.
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: replace unpinned dtolnay/rust-toolchain action with rustup in dependency-audit.yml (#72)
fix: replace unpinned dtolnay/rust-toolchain action with rustup
Replaces `uses: dtolnay/rust-toolchain@stable` (unpinned action) with a
direct `rustup toolchain install stable --profile minimal` run step.
The action was used with no parameters so this is functionally identical.
Using a run step eliminates the action-pinning compliance finding since
`run:` steps are not subject to the SHA pinning requirement.
Closes #41
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: add claude.yml template + checkout audit check (#63)
fix: add claude.yml template + checkout audit check (#33)
Root cause: the recent org-wide PRs added checkout only to the
claude-issue job, leaving the claude job (PR reviews / @claude
mentions) without one. claude-code-action reads CLAUDE.md and
AGENTS.md from the working tree; without checkout it errors on
every PR-triggered run.
Changes:
- standards/workflows/claude.yml: canonical copy-paste template
with checkout in both jobs, matching the other templates in
standards/workflows/. Both checkout steps are annotated as
REQUIRED to prevent silent removal.
- scripts/compliance-audit.sh: new check_claude_workflow_checkout()
detects any repo whose claude or claude-issue job is missing
checkout and raises an error finding. Wired into the main audit
loop so weekly scans surface affected repos automatically.
- standards/ci-standards.md: added a visible callout that both jobs
need checkout and a pointer to the new template file.
Closes #33
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: add has_discussions and has_issues to apply-repo-settings.sh (#59)
Extends the remediation script to include has_discussions and has_issues
settings from standards/github-settings.md#repository-settings--standard-defaults.
Previously the script only covered merge settings, leaving discussions and
issue-tracking compliance gaps unaddressed.
Closes #58
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: auto-create required labels during compliance audit (#67)
fix: auto-create required labels during compliance audit and settings apply
Adds ensure_required_labels() to compliance-audit.sh so all 6 required
labels (security, dependencies, scorecard, bug, enhancement, documentation)
are idempotently created during each audit run, eliminating the
missing-label-* compliance finding category.
Also extends apply-repo-settings.sh with apply_labels() so the remediation
script covers labels alongside repository settings.
Closes #46
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* feat: add apply-rulesets.sh to create code-quality ruleset (#71)
* feat: add apply-rulesets.sh to create code-quality ruleset
Adds scripts/apply-rulesets.sh — an IaC script that creates or updates
the code-quality repository ruleset (required status checks) for any
petry-projects repo via the GitHub API.
The script:
- Auto-detects which CI workflows are present and derives the correct
GitHub Actions check context strings (<workflow-name> / <job-name>)
- Supports --dry-run to preview without applying
- Creates or updates the ruleset idempotently (POST or PUT)
- Supports --all to run across every non-archived org repo
Closes #49
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: remove dead workflow_job_names function; guard empty checks array
- Remove unused workflow_job_names() helper — dead code never called
- Guard printf against empty array with set -u on older bash versions
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: restore executable bit on apply-rulesets.sh
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: address Dependabot major version updates and markdownlint v23 compatibility (#68)
- Disable new markdownlint rules enabled by default in v23 (MD049, MD050,
MD054, MD055, MD056, MD058) to prevent CI failures when Dependabot PR #19
(markdownlint-cli2-action v9→v23) is merged
- Sync standards/workflows/dependency-audit.yml to action versions currently
in the live workflow: actions/checkout v6.0.2, actions/setup-node v6.3.0,
and updated pnpm/action-setup and actions/setup-go patch SHAs
Note: .github/workflows/ files require manual edits (no workflow write permission):
- dependabot-automerge.yml: add skip-commit-verification: true to fix PR #22
- dependency-audit.yml: correct 6 version comments (SHA updated but comment still says v4/v5)
Closes #36
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: add app secrets guard and skip-commit-verification to dependabot workflows (#69)
* fix: add app secrets guard and skip-commit-verification to dependabot workflows
- Add `Check app secrets` step to all three dependabot workflow files so
missing APP_ID/APP_PRIVATE_KEY secrets produce a clear, actionable error
instead of the cryptic [@octokit/auth-app] appId option is required message
- Add `skip-commit-verification: true` to dependabot/fetch-metadata in
.github/workflows/dependabot-automerge.yml so it accepts the GitHub-authored
merge commits produced by the dependabot-rebase workflow
Closes #29
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: shorten error message lines to satisfy 200-char yamllint rule
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* feat: add org profile README (#61)
Creates profile/README.md with org overview, project table, standards
summary, and contribution guidelines.
Closes #37
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: update Node.js runtime examples from 20 to 24 in CI standards docs (#62)
* fix: update Node.js runtime from 20 to 24 across CI config and docs
Node.js 20 runtime is deprecated; GitHub will force Node.js 24 on
June 2 2026 and remove Node.js 20 entirely on September 16 2026.
- ci.yml: pin agent-security job to node-version '24'
- standards/ci-standards.md: update npm and pnpm pattern examples
Closes #34
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* revert: restore ci.yml to previous state (workflow permission not available)
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* docs: update compliance status and add bash 4+ requirement (#73)
* docs: update compliance status and add bash 4+ requirement
- Update Current Compliance Status table: all repo settings are now
fully compliant after bulk remediation; document remaining ruleset gaps
- Add Bash 4+ requirement note to apply-repo-settings.sh (uses
associative arrays, incompatible with macOS default Bash 3.2)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add bash 4+ runtime check to apply-repo-settings.sh
Addresses Copilot review: fail fast with actionable message instead of
cryptic declare -A error on macOS Bash 3.2.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore(deps): Bump DavidAnson/markdownlint-cli2-action from 9.0.0 to 23.0.0 (#19)
chore(deps): Bump DavidAnson/markdownlint-cli2-action
Bumps [DavidAnson/markdownlint-cli2-action](https://github.com/davidanson/markdownlint-cli2-action) from 9.0.0 to 23.0.0.
- [Release notes](https://github.com/davidanson/markdownlint-cli2-action/releases)
- [Commits](https://github.com/davidanson/markdownlint-cli2-action/compare/5b7c9f74fec47e6b15667b2cc23c63dff11e449e...ce4853d43830c74c1753b39f3cf40f71c2031eb9)
---
updated-dependencies:
- dependency-name: DavidAnson/markdownlint-cli2-action
dependency-version: 23.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feat: prevent duplicate agent PRs via in-progress labels and umbrella issues (#76)
* feat: prevent duplicate agent PRs via in-progress labels and umbrella issues
- Add `in-progress` label (#fbca04) to standard label set in github-settings.md
and apply-repo-settings.sh so all repos have it available for agents to claim issues
- Add `in-progress` to compliance-audit.sh REQUIRED_LABELS and ensure_required_labels()
so the audit enforces its presence across repos
- Remove `--label "claude"` from individual compliance finding issues; individual issues
now only get the `compliance-audit` label so multiple agents don't race on them
- Add create_umbrella_issue() to compliance-audit.sh: after each audit run, one umbrella
issue is created in petry-projects/.github grouping all findings by remediation category.
Only the umbrella gets the `claude` label, triggering one coordinated agent run instead
of N competing agents each fixing the same script/file
- Add "Multi-Agent Issue Coordination" section to AGENTS.md with:
- Claim-before-work protocol (check in-progress label, check for open PRs, claim before
writing code, release claim on abandonment)
- File-conflict check (search open PRs for the target file before creating it)
- Compliance umbrella issue guidance (work from umbrella, fix whole category per PR)
Closes #75
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: declare body separately in create_umbrella_issue to satisfy ShellCheck SC2155
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* feat: reusable Claude Code workflow with workflows write permission (#77)
feat: extract reusable Claude Code workflow with GH_PAT_WORKFLOWS support
Centralizes the Claude Code prompt and config into a reusable workflow
(claude-code-reusable.yml) so repo-level claude.yml files are thin callers.
Adds github_token input using GH_PAT_WORKFLOWS secret to grant workflows
write permission, unblocking Claude from pushing .github/workflows/ changes.
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add pr-quality ruleset support to apply-rulesets.sh
Adds build_pr_quality_ruleset_json() function and updates apply_rulesets()
to create/update the pr-quality ruleset on each repo, per the standard
defined in standards/github-settings.md.
Ruleset enforces:
- 1 required approving review
- Dismiss stale reviews on push
- Require code owner review
- Require last push approval
- All review threads resolved before merge
- Linear history (squash-only merges)
- No force pushes, no branch deletion
Bypass actors: OrganizationAdmin (always), dependabot-automerge-petry (pull_request).
Also removes stale TODO note from standards/github-settings.md about
pr-quality support being missing from the script.
Closes #48
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* feat: add CODEOWNERS file for code owner review enforcement
Adds .github/CODEOWNERS assigning @don-petry as default owner for all files.
Satisfies the pr-quality ruleset requirement for code owner reviews (the
"Require code owner review" setting has no effect without a CODEOWNERS file).
Closes #50
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* Add Feature Ideation workflow as standard for BMAD-enabled repos (#81)
* feat: add Feature Ideation workflow as a standard for BMAD-enabled repos
Promotes the BMAD Analyst (Mary) feature ideation workflow piloted in
petry-projects/TalkTerm to an org-wide standard for any repo with BMAD
Method installed.
Adds:
- standards/workflows/feature-ideation.yml — the canonical template,
generalised from TalkTerm. Customisation surface is a single
PROJECT_CONTEXT env var that describes the project and its market.
- standards/ci-standards.md §8 rewrite — documents the multi-skill
ideation pipeline (Market Research → Brainstorming → Party Mode →
Adversarial), the Opus 4.6 model requirement, the github_token
permissions gotcha, and the show_full_output secrets hazard.
- standards/agent-standards.md — adds a "BMAD Method Workflows"
section linking the standard from the agent ecosystem docs.
The four critical gotchas baked into the template were each discovered
empirically during the TalkTerm pilot and would silently regress without
the inline comments. Most importantly: the action's auto-generated
claude[bot] App token lacks discussions:write, so the workflow MUST
pass github_token: ${{ secrets.GITHUB_TOKEN }} explicitly or every
Discussion mutation fails silently while the run reports success.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: split feature-ideation into reusable workflow + thin caller stub
Avoids ~600 lines of prompt duplication across every BMAD-enabled repo and
makes the multi-skill ideation pipeline tunable in one place — changes here
propagate to every adopter on next scheduled run.
- .github/workflows/feature-ideation-reusable.yml — the actual reusable
workflow (workflow_call). Contains both jobs (signal collection +
analyst), the full Phase 1-8 prompt, and the four critical gotchas
(Opus 4.6 model, github_token override, no show_full_output, structural
Phase 2-5 sequence) hard-coded so they cannot regress.
- standards/workflows/feature-ideation.yml — replaced the 600-line copy
with a ~60-line caller stub that only defines the schedule, the
workflow_dispatch inputs, and a single required parameter:
project_context.
- standards/ci-standards.md §8 — documents the reusable + caller stub
architecture, the inputs/secrets contract, and updated adoption steps.
Reference implementation pointer updated to note that TalkTerm is now
also a thin caller stub.
Inputs exposed by the reusable workflow:
- project_context (required) — project description for Mary
- focus_area (default '') — typically wired to workflow_dispatch
- research_depth (default 'standard')
- model (default 'claude-opus-4-6') — escape hatch only
- timeout_minutes (default 60)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(lint): add shellcheck disable for GraphQL variable false positive
The gh api graphql queries use $repo / $owner / $categoryId as GraphQL
variables (not shell expansions), which must remain in single quotes.
shellcheck SC2016 fires anyway — disable it for this script.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(lint): use quoted heredocs for GraphQL queries to satisfy SC2016
actionlint runs shellcheck on the entire run script as one unit and ignores
inline disable directives. Rewriting the gh api graphql calls to use
cat <<'GRAPHQL' heredocs makes the GraphQL variable references ($repo,
$owner, $categoryId) shell-inert without depending on single-quoted
string literals — eliminating the SC2016 false positive.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: expand prompt variables via Actions expressions, add placeholder guard
CodeRabbit caught a critical latent bug inherited from the original TalkTerm
prompt: shell-style $VAR and $(date) syntax inside the action's `prompt:`
input is NOT expanded — the action receives literal text. This silently
broke variable substitution in every prior run, but mattered most for the
new reusable workflow because PROJECT_CONTEXT is now load-bearing.
Changes:
- Replace $PROJECT_CONTEXT, $FOCUS_AREA, $RESEARCH_DEPTH, and $(date ...)
with ${{ inputs.* }} and ${{ github.run_started_at }} expressions, which
ARE evaluated by GitHub before passing the prompt to the action.
- Add a "Validate project_context is customised" pre-step that fails fast
if an adopter copied the caller stub without replacing the TODO
placeholder. Prevents wasted Opus runs producing generic Discussions.
- scripts/compliance-audit.sh: detect BMAD repos via `_bmad-output/` as
well as `_bmad/`, matching the broader detection rule documented in
ci-standards.md §8 (TalkTerm only has `_bmad-output/`).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(lint): drop github.run_started_at (not in actionlint context schema)
The agent can read scan_date from signals.json instead — added a hint
in the Environment section.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(caller): grant cascading permissions on the calling job
CodeRabbit caught: the caller stub had `permissions: {}` at workflow
level and no permissions block on the calling job. Reusable workflows
inherit permissions from the calling job — without an explicit grant,
the reusable workflow's `discussions: write` declaration would have
nothing to apply, and Discussion mutations would fail with FORBIDDEN
just like the original bug we fixed in TalkTerm.
The reusable workflow's job-level permissions are documentation of
what it needs; the caller is what actually grants them.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use claude_args --model interface; instruct re-query before create
Two more fixes from CodeRabbit review:
1. Model selection via claude_args (the documented v1 interface)
instead of ANTHROPIC_MODEL env var. claude_args takes precedence over
the env var per the action's docs, so depending on the env var was
relying on undocumented behavior. The pinned v1.0.89 happens to honor
ANTHROPIC_MODEL too (verified in TalkTerm run #3 logs), but the
documented path is more robust against future action upgrades.
2. Re-query existing Ideas discussions before each create. The signals
snapshot only fetches the first page of discussions (GraphQL caps
connections at 100 per page) and only covers the Ideas category, not
the General fallback. Mary now does a fresh query before each create
to avoid duplicates in repos with >100 idea threads or where Ideas
doesn't exist.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: pass GH_PAT_WORKFLOWS to actions/checkout so git push uses workflow-scoped token (#82)
* fix: auto-create missing required labels during compliance audit (#79)
Replace passive `missing-label-*` findings with active label creation.
`check_labels()` now calls `gh label create --force` for any required
label absent from a repo. A compliance finding is only filed if creation
fails (insufficient permissions) or when running in DRY_RUN mode.
Resolves the recurring `missing-label-scorecard` finding (#47) by
creating the label on the next audit run rather than just reporting it.
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: encode compliance-fix learnings into standards and Claude prompt (#86)
* fix(claude-action): grant administration:write, allow gh api/label create, add standards-conformance prompt rules
* docs(ci-standards): add 'Using Templates' section, SHA lookup procedure, document administration:write
* docs(AGENTS): link standards root and per-topic standards files at top of file
* docs(AGENTS): wrap standards-rule paragraph to satisfy MD013 line-length
* fix(claude-action): yamllint disable for long allowedTools line
* fix(claude-action): remove invalid 'administration' permission scope; document GH_PAT_WORKFLOWS as the actual mechanism
* docs(ci-standards): replace bogus 'administration: write' note with explanation of how admin ops actually work via GH_PAT_WORKFLOWS
* feat(workflows): centralize standards via reusable workflows (#87)
* feat(workflows): centralize standards via reusable workflows
Build org-wide reusable workflows for the four standards that previously
required full inline copies in every downstream repo, and migrate the
matching standards/workflows/*.yml templates to thin caller stubs that
delegate via `uses: petry-projects/.github/.github/workflows/*-reusable.yml@main`.
This extends the pattern already proven by feature-ideation and the
existing claude-code-reusable workflow to the rest of the standard set:
- dependency-audit-reusable.yml (zero per-repo config)
- dependabot-automerge-reusable.yml (uses secrets: inherit for APP_*)
- dependabot-rebase-reusable.yml (uses secrets: inherit for APP_*)
- agent-shield-reusable.yml (inputs for severity/required-files/org-ref)
The standards/workflows/claude.yml template was also still the inline
115-line version even though claude-code-reusable.yml has existed for
weeks; migrate it to a stub matching the central repo's own claude.yml.
Each migrated stub now carries a uniform "SOURCE OF TRUTH" header block
telling agents what they may and may not edit. Net effect: ~580 lines
removed from standards/workflows, single point of maintenance for the
five centralizable workflows.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(workflows): grant read permissions to dependabot caller stubs
Reusable workflows can be granted no more permissions than the calling
workflow has. The dependabot-automerge and dependabot-rebase stubs had
`permissions: {}` at workflow level with no job-level overrides, which
intersected to zero — the reusable's `gh pr ...` calls would fail
because GITHUB_TOKEN had no scopes.
Fix: declare `contents: read` and `pull-requests: read` on the calling
job, matching the scopes the reusable's job already declares. Caught
by Copilot review on #87.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs(workflows): note permissions stanza in immutable-stub contract
CodeRabbit follow-up on #87: now that the dependabot stubs declare a
job-level permissions block (required for the reusable's gh API calls),
add it to the "MUST NOT change" list so future adopters don't strip it.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(workflows): pin reusable callers to @v1 and document tier model (#88)
* feat(workflows): pin all reusable callers to @v1 + add tier model
Pins all stubs in standards/workflows/ and the central repo's own
.github/workflows/claude.yml from @main to @v1. From here on, a bad
commit on main cannot break every downstream repo simultaneously —
breaking changes will publish v2 and downstream repos opt in.
Adds a "Centralization tiers" section to ci-standards.md documenting
the three tiers (stub / per-repo template / free per-repo) so future
agents know whether a workflow file is editable, what they may tune,
and where to send fixes when behavior needs to change.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* revert(workflows): keep central claude.yml caller at @main in this PR
claude-code-action validates that .github/workflows/claude.yml in a PR
is byte-identical to main, so updating it within a normal PR is
impossible — the validation fails before the merge can land. Updating
the central repo's own caller will be done as a tiny separate change
after this lands.
Standards stubs remain pinned to @v1 — that is the change that matters
for downstream repos.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(workflows): unify feature-ideation header + correct tier doc
Address Copilot review on #88:
1. feature-ideation.yml: prepend the same SOURCE OF TRUTH header block
used by the other Tier 1 stubs so the claim "Tier 1 stubs all carry
an identical header" is actually true.
2. ci-standards.md tier table: drop the inaccurate "~30-line" claim
(feature-ideation.yml is ~95 lines because of the `project_context`
input). Replace with "thin caller stub" and call out feature-ideation's
required input alongside agent-shield's optional ones.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(compliance-audit): detect non-stub centralized workflow copies (#89)
* feat(compliance-audit): detect non-stub centralized workflow copies
Adds a new check to compliance-audit.sh that flags downstream repos
whose Tier 1 workflows are not the canonical thin caller stubs pinned
to @v1. For each centralizable workflow (claude, dependency-audit,
dependabot-{automerge,rebase}, agent-shield, feature-ideation), the
check distinguishes three failure modes for actionable findings:
1. Inline copy of pre-centralization logic
→ "is an inline copy instead of a thin caller stub"
2. References the reusable but not pinned to @v1 (e.g. @main, @v0)
→ "references the reusable but is not pinned to @v1"
3. Some other malformed uses: line
→ "the uses: line does not match the canonical stub"
The central .github repo is exempt because it owns the reusables and
may legitimately reference them by @main during release preparation.
Verified locally with hand-crafted fixtures: stub@v1 → no finding,
stub@main → flagged with the @v1 message, inline copy → flagged with
the inline message, missing file → no finding (handled by
check_required_workflows).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(compliance-audit): use fixed-string grep for reusable path match
CodeRabbit on #89: the second-branch grep used an unescaped
"petry-projects/.github/.github/workflows/${reusable}" pattern,
where BRE dots could in principle match any character. Switch to
\`grep -F\` (fixed-string) to match the path literally. No real-world
false positive observed (workflow paths contain literal dots), but
the hygiene is right.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(compliance-audit): anchor uses: regex + reduce per-repo API calls
Address remaining Copilot review feedback on #89:
1. Anchor the \`uses:\` regex to start-of-line + optional indent
(\`^[[:space:]]*uses:\`) so a commented \`# uses: ...@v1\` line
cannot fool the check into marking an inline workflow as compliant.
Verified with a fixture: a workflow whose only mention of @v1 is in
a YAML comment is now correctly flagged.
2. List \`.github/workflows/\` once per repo and short-circuit the
per-file check when the workflow isn't present, instead of probing
each of the six centralized files individually. Cuts up to 5 wasted
gh api calls per repo (worst case ~2500 fewer requests across the
org per audit run).
3. Drop the misleading "missing workflow caught by check_required_workflows"
comment — only some of the six are required (claude, dependency-audit,
dependabot-automerge, agent-shield); dependabot-rebase and feature-ideation
are intentionally optional/conditional. The new directory-listing
short-circuit handles all of these uniformly.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(apply-rulesets): use Tier 1 reusable check names (#94)
Closes #91.
`scripts/apply-rulesets.sh` previously only knew about claude.yml,
sonarcloud.yml, codeql.yml, and ci.yml when building required-status-
checks lists. For claude.yml it composed `<workflow-display-name> /
claude` (e.g. "Claude Code / claude") — but GitHub actually publishes
reusable check names as `<caller-job-id> / <reusable-job-id-or-name>`,
which is "claude-code / claude". The old format never matched real
checks, so the rule was effectively never satisfied — which is why
markets and bmad-bgreat-suite deadlocked at merge time after #87.
Fix:
- Drop the legacy claude.yml block.
- Hardcode the new check names for the centralized workflows that ARE
safe to require: `agent-shield / AgentShield` and
`dependency-audit / Detect ecosystems`.
- Document why claude-code / claude, the per-ecosystem dependency-audit
jobs, dependabot-{automerge,rebase}, and feature-ideation are NOT
required: claude-code's app-token validation deadlocks workflow PRs;
per-ecosystem jobs report SKIPPED when their lockfile is absent and
required-but-skipped fails the gate; the dependabot/feature-ideation
jobs run on triggers other than regular PRs.
After this lands, run `apply-rulesets.sh` against every petry-projects
repo to converge on the new names.
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(workflows): address CodeRabbit suggestions deferred from #87 (#93)
* fix(workflows): address CodeRabbit suggestions deferred from #87
Closes #90.
1) agent-shield-reusable.yml — SKILL.md frontmatter regex now allows
optional leading whitespace (`^[[:space:]]*name:` /
`^[[:space:]]*description:`), so indented YAML keys (e.g. under a
`metadata:` parent) are recognised as present. Previously the strict
column-zero anchor missed them.
2) dependabot-rebase-reusable.yml — fix vacuous-truth merge gate.
`[].statusCheckRollup[]? | ... | all(...)` returns true on an empty
list (logical convention), which made a PR with no status checks
appear "all green" and trigger an auto-merge. New gate also requires
at least one COMPLETED check before merging, in addition to the
existing all-pass and zero-pending requirements. Also collapses the
three `gh pr view` calls into one round-trip via a shared $ROLLUP.
3) dependency-audit-reusable.yml — cargo audit no longer re-runs per
workspace member. The new logic finds workspace roots (Cargo.toml
files containing `[workspace]`) and audits them once each, then
audits standalone crates whose dir is not under any workspace root.
For a workspace with N members, that's 1 audit instead of N+1.
4) dependency-audit-reusable.yml — pip-audit now audits both
pyproject.toml AND requirements.txt when both exist in the same
directory (some projects ship pyproject for tooling and
requirements.txt for pinned runtime deps). Previously the elif
branch made requirements.txt unreachable.
All four were originally raised by CodeRabbit on petry-projects/.github#87
and intentionally deferred to keep that PR no-behavior-change.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(workflows): single space before cron comment in feature-ideation stub
The canonical stub had three spaces aligning the comment after the cron
expression. Repos that run prettier in their lint chain (e.g.
google-app-scripts) hit a `prettier --check` failure on every fresh
adoption — see petry-projects/google-app-scripts#151. Bringing the
template in line with prettier defaults so future adopters don't drift.
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(compliance-audit): detect stale required-check names in rulesets (#96)
* feat(compliance-audit): detect stale required-check names in rulesets
Closes #92.
Adds `check_centralized_check_names` to compliance-audit.sh. For every
non-`.github` repo in the org, fetches the active required-status-check
contexts from BOTH the new ruleset system (gh api .../rules/branches/main)
and classic branch protection (gh api .../branches/main/protection),
then flags two distinct problems:
1. Stale pre-centralization names (`claude`, `claude-issue`,
`AgentShield`, `Detect ecosystems`) — emits
`stale-required-check-<old-name>` with the canonical replacement in
the message.
2. `claude-code / claude` listed as required — emits
`required-claude-code-check-broken` because that check is
structurally incompatible with workflow-modifying PRs:
claude-code-action's GitHub App refuses to mint a token whenever
the PR diff includes a workflow file, so the check fails on every
workflow PR and the merge gate becomes a deadlock. This was the
exact root cause of the markets/bmad-bgreat-suite stuck PRs from
#87 sweep.
Tested locally with stub fixtures for all four cases (stale claude,
stale AgentShield, broken claude-code/claude, clean ruleset).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(compliance-audit): never recommend renaming claude → claude-code/claude
CodeRabbit on #96: the rename map said `claude` → `claude-code / claude`,
but a separate check correctly flags `claude-code / claude` as a forbidden
required check (it deadlocks workflow PRs). Following the rename
recommendation would have moved a repo from one broken state to another.
Fix: split the logic into two distinct sets.
1. `renames[]` — only contains checks where the new name is safe to
require (AgentShield, Detect ecosystems). These get a "rename to X"
message.
2. `forbidden_required[]` — contains every claude variant (legacy and
post-centralization). Any of them as a required check emits a
stable per-name finding telling the maintainer to REMOVE it from
required checks, not rename it.
The Claude review check still runs and surfaces feedback on normal PRs
without being a merge gate; only the required-status-checks pin is
removed.
Each forbidden_required entry maps to a stable check id so findings
don't churn across audit runs from slashes in canonical names.
Verified locally with stub fixtures for all five cases:
stale `claude` -> required-claude-check-broken
stale `claude-issue` -> required-claude-issue-check-broken
`claude-code / claude` -> required-claude-code-check-broken
stale `AgentShield` -> stale-required-check-AgentShield (rename)
clean ruleset -> 0 findings
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(compliance-audit): suffix-match forbidden Claude required checks
Address remaining CodeRabbit feedback on #96: the previous exact-match
list (`claude-code / claude`, `claude-code / claude-issue`) only caught
the canonical caller-job-id. Repos with a custo…
Adds persist-credentials: false to copilot-setup-steps.yml checkout step. Updates .gitignore to cover .dev-lead/ worktrees and CI-generated actionlint binaries. Updates standards/workflows/copilot-setup-steps.yml to match. Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* chore: remove deprecated claude.yml from standards The claude.yml workflow template has been deprecated in favor of dev-lead.yml as the standard workflow for all org repos (PR #301). All repos have migrated to dev-lead.yml. This removes the obsolete template from the org-level standards directory. * docs: refresh github-settings.md with org-level workflows and engine support - Remove outdated "Current Compliance Status" section (was always going stale) - Add "AI Engine Support" documenting Claude/Gemini/Copilot options in dev-lead - Document optional org-level secrets for alternative engines (GOOGLE_API_KEY, GH_PAT) - Add "Organization-Level Workflows" section with Actions Fleet Monitor, Compliance Audit, Scorecard, etc. - Expand "Audit & Compliance" with detailed compliance audit process steps - Note alternative engine auto-trigger settings for future Gemini/Copilot deployments Reflects current org capabilities for multi-engine code review and org-wide observability. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove dangling references to deleted claude.yml template Addresses all 4 unresolved findings from PR review cycles: 1. scripts/deploy-standard-workflows.sh:43 - Removed claude.yml from DEPLOYABLE_WORKFLOWS array - Prevents "No template" errors during workflow deployments 2. AGENTS.md:19 - Updated workflow templates list to remove claude.yml - Replaced with current standard (dev-lead.yml) 3. standards/ci-standards.md:310 - Updated deprecation notice to remove broken link to deleted template - Redirects to migration section for historical reference 4. scripts/compliance-audit.sh - Removed check_claude_workflow_checkout() function (dead code) - Removed commented-out call site (already marked as removed 2026-05) All referenced files now internally consistent with template deletion. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: markdown lint errors — add blank lines around lists * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] --------- Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
* chore: re-trigger CI checks Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * chore: remove committed binary file Removes the actionlint binary that was incorrectly committed to the repository. Binary executables should not be version controlled in git. They should be downloaded or installed during CI/CD pipelines via package managers or GitHub releases. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
* fix(ci): pin claude-code-reusable.yml to @v1 per action pinning policy Copies claude.yml verbatim from the org standards template (standards/workflows/claude.yml). Key changes: - @main → @v1 (internal reusable refs use tag, not branch, per ci-standards.md) - Add paths-ignore OIDC guard on pull_request trigger - Add canonical header comment block from template Closes #105 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * fix: remove accidentally committed actionlint binary This binary file should not be in the repository. It appears to have been committed accidentally during manual instructions applied to this branch. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
…aller stub Replaces the standalone workflow (which contained the unpinned dtolnay/rust-toolchain@stable action) with the org-standard thin caller stub that delegates to the centrally-maintained reusable workflow. The reusable workflow uses rustup directly, removing the third-party action entirely. Closes #106 Rebased onto main by claude[bot] (auto-rebase). Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Contributor
Author
Dev-Lead — rebase (applied)Rebase completed and pushed. |
Removed duplicate job definitions from claude-code-reusable.yml that were causing YAML key-duplication errors (claude-fix-review-comments and claude-ci-fix). Also removed duplicate sections from AGENTS.md and standards/ci-standards.md that were causing markdown duplicate-heading errors. - claude-code-reusable.yml: removed duplicate jobs (lines 233-406) - AGENTS.md: removed duplicate "Multi-Agent Isolation" section - standards/ci-standards.md: removed duplicate "Conditional Workflows" section and updated link reference from #8 to #9 heading Fixes Lint, Lint YAML, and Lint GitHub Actions checks. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Contributor
Author
Dev-Lead — fix-bot-comment (applied)Changes committed and pushed. |
|
Contributor
Author
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
Contributor
Review — fix requested (cycle 1/3)The automated review identified the following issues. Please address each one: Findings to fixAutomated review — NEEDS HUMAN REVIEWRisk: MEDIUM SummaryThe core change — replacing the standalone dependency-audit.yml with the org-standard thin caller pinned to a full reusable-workflow SHA (d3d768d) — is sound, addresses #106, and improves the actions security posture; all CI is green and SonarCloud passed. CodeRabbit's CHANGES_REQUESTED is stale (2026-05-08, older SHA, flagged a floating @v1 tag that is now SHA-pinned). However, the PR also carries two unexplained, out-of-scope edits not mentioned in its description: a third duplicate copy of ensure_required_labels() in scripts/compliance-audit.sh and a duplicated paragraph in standards/ci-standards.md. No security-sensitive surface (secrets/auth/migrations) is touched, so this stays MEDIUM; the duplications fail the well-structured gate, so this is escalated back for cleanup rather than to the security auditor. Downstream impact: none. Findings
Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: opus 4.8 + duck: o4-mini → audit: fable 5). Reply if you need a human review. Additional tasks
The review cascade will automatically re-review after new commits are pushed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
dependency-audit.ymlworkflow (which contained the unpinneddtolnay/rust-toolchain@stableaction) with the org-standard thin caller stubdependency-audit-reusable.yml, which usesrustupdirectly — eliminating the third-party action and its pinning violationstandards/workflows/dependency-audit.ymlper the AGENTS.md standardRoot cause
The standalone workflow was out of sync with the org standard. The reusable workflow was already updated to use
rustupdirectly (no third-party action), but the caller was never migrated from the old standalone form to the thin caller stub.Test plan
dependency-audit.ymlfor unpinned actionsCloses #106
Generated with Claude Code
Summary by CodeRabbit