petry-projects · don-petry · Jun 20, 2026 · Jun 20, 2026 · Jun 20, 2026 · Jun 20, 2026
@@ -30,4 +30,4 @@ permissions:
 
 jobs:
   agent-shield:
-    uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@v2
+    uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@agent-shield/stable
@@ -2,10 +2,10 @@
 # Standard: petry-projects/.github/standards/push-protection.md#required-repo-level-settings
 #
 # Applies repository-level security settings (secret_scanning_ai_detection, etc.)
-# via scripts/apply-repo-settings.sh on every push to main and on a weekly
-# schedule (Mon 03:00 UTC) so that security_and_analysis settings documented
-# in .github/settings.yml stay in effect and drift is caught between compliance
-# audits. Also triggerable manually for out-of-band remediation.
+# via scripts/apply-repo-settings.sh on path-filtered pushes to main, on a
+# weekly schedule (Mondays 06:00 UTC), and via manual dispatch. This ensures
+# security_and_analysis settings documented in .github/settings.yml stay in
+# effect and prevents drift over time.
 #
 # Token: GH_PAT_WORKFLOWS (classic PAT with repo scope).
 # `administration` is not a valid GITHUB_TOKEN scope in Actions; and the
@@ -20,18 +20,12 @@ on:
     paths:
       - .github/settings.yml
       - scripts/apply-repo-settings.sh
-      - .github/workflows/apply-repo-settings.yml
   schedule:
-    # Reinforce settings weekly (Mon 03:00 UTC) so drift is caught between compliance audits.
-    - cron: '0 3 * * 1'
+    - cron: '0 6 * * 1'  # Weekly Monday 06:00 UTC — prevents settings drift
   workflow_dispatch:
 
 permissions: {}
 
-concurrency:
-  group: apply-repo-settings
-  cancel-in-progress: false
-
 jobs:
   apply:
     name: Apply security_and_analysis settings

@@ -41,6 +41,6 @@ jobs:
     if: >-
       github.event.check_run.conclusion == 'failure' &&
       !startsWith(github.event.check_run.name, 'CI Failure Analyst')
-    uses: petry-projects/.github-private/.github/workflows/ci-failure-analyst-reusable.yml@ac05d653e05c038bf5f82b1e9612d5015399a675 # main
+    uses: petry-projects/.github-private/.github/workflows/ci-failure-analyst-reusable.yml@121bee881bd13715706d30230b2d5a8d2d78b0b1 # main
     secrets:
       CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
@@ -35,5 +35,5 @@ jobs:
     permissions:
       contents: read
       pull-requests: read
-    uses: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@v2
+    uses: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@dependabot-automerge/stable
     secrets: inherit
@@ -30,4 +30,4 @@ permissions:
 
 jobs:
   dependency-audit:
-    uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v2
+    uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@dependency-audit/stable
@@ -88,7 +88,7 @@ jobs:
       discussions: write
       id-token: write
       actions: read
-    uses: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml@cc05a74683f8e3564592878e417bb20f8013f16f # v1
+    uses: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml@ce8a8c328b21feb26c7bb9ef81ffb26354e9a4da # v1
     with:
       # === CUSTOMISE THIS PER REPO — the only required edit ===
       # Replace this paragraph with a 3-5 sentence description of your project,

@@ -41,3 +41,4 @@ jobs:
       statuses: read
     uses: petry-projects/.github/.github/workflows/pr-review-mention-reusable.yml@v2
     secrets: inherit
+
@@ -1,62 +1,28 @@
 name: PR Review Agent
 
-# Thin caller for the org PR Review agent (petry-projects/.github-private),
-# pinned to the known-good `pr-review/stable` channel. Adopted from the validated
-# `.github-private/pr-review-trigger.yml` template (#536 consumer fan-out).
-#
-# - Version selection is the `pr-review/stable` tag. The `uses:` line is pinned
-#   to the tag's current commit SHA and must be bumped when the tag is promoted.
-#   `agent_ref` tracks the mutable tag so agent scripts use the promoted version.
-# - `agent_ref: pr-review/stable` pins the agent's own scripts to the same
-#   channel (#506), so the review logic AND scripts run the known-good version.
-# - Secrets are passed explicitly to the reusable workflow.
-#   `DON_PETRY_BOT_GH_PAT_CLASSIC` is a classic PAT — required for approvals since
-#   fine-grained PATs cannot `addPullRequestReview`.
-
 on:
-  check_suite:
-    types: [completed]
-  pull_request_review:
-    types: [submitted, dismissed]
   pull_request:
-    types: [opened, ready_for_review, reopened, synchronize]
+    types: [opened, synchronize, reopened]
+  pull_request_review_comment:
+    types: [created]
+  issue_comment:
+    types: [created]
   workflow_dispatch:
     inputs:
-      pr_url:
-        description: "Optional: review a single PR URL instead of enumerating"
-        required: false
-        type: string
-      dry_run:
-        description: "If true, never submit reviews or comments"
+      pr_numbers:
+        description: "PR numbers to review (comma-separated)"
         required: false
-        default: "false"
-        type: string
-      force_review:
-        description: "If true, bypass idempotency and re-review at the same head SHA"
-        required: false
-        default: "false"
-        type: string
-  repository_dispatch:
-    types: [pr-review-mention]
 
 permissions: {}
 
+concurrency:
+  group: pr-review-${{ github.event.pull_request.number || github.event.issue.number || github.sha }}
+  cancel-in-progress: true
+
 jobs:
-  review:
-    permissions:
-      contents: read
-      pull-requests: write
-      checks: read
-    uses: petry-projects/.github-private/.github/workflows/pr-review.yml@ded84ce4820dce379f177f9992beb74483f6d6b4 # pr-review/stable (v1.7.0)
-    with:
-      agent_ref: pr-review/stable
-      pr_url: ${{ inputs.pr_url || '' }}
-      dry_run: ${{ inputs.dry_run || '' }}
-      force_review: ${{ inputs.force_review || '' }}
+  pr-review:
+    uses: petry-projects/.github-private/.github/workflows/pr-review-reusable.yml@ceab48a1c64d1e06a87d41ea5cf590c8e6a780bf
     secrets:
       CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
       GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
       COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
-      DON_PETRY_BOT_GH_PAT: ${{ secrets.DON_PETRY_BOT_GH_PAT }}
-      DON_PETRY_BOT_GH_PAT_CLASSIC: ${{ secrets.DON_PETRY_BOT_GH_PAT_CLASSIC }}
-      GH_PAT: ${{ secrets.GH_PAT }}
@@ -23,4 +23,4 @@ jobs:
           fetch-depth: 0
       - name: SonarCloud Scan
         if: ${{ env.SONAR_TOKEN != '' }}
-        uses: SonarSource/sonarqube-scan-action@713881670b6b3676cda39549040e2d88c70d582e # v8.2.0
+        uses: SonarSource/sonarqube-scan-action@7006c4492b2e0ee0f816d36501671557c97f5995 # v8.1.0
Original file line number	Diff line number	Diff line change
Expand Up		@@ -41,3 +41,4 @@ jobs:
		statuses: read
		uses: petry-projects/.github/.github/workflows/pr-review-mention-reusable.yml@v2
		secrets: inherit