fix(ci): pin claude-code-reusable.yml ref to @v1

[don-petry]

Summary

• Copies .github/workflows/claude.yml verbatim from the org-level template (standards/workflows/claude.yml)
• Changes uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main → @v1 — internal reusable workflow refs use a version tag, not a branch ref, per the Action Pinning Policy in ci-standards.md
• Adds paths-ignore OIDC guard on pull_request trigger (prevents 401 token-exchange failures when this file itself is the only change in a PR)
• Adds canonical header comment block from the template

Why not SHA-pin?

Per ci-standards.md §Action Pinning Policy, internal reusable workflow refs (petry-projects/.github/.github/workflows/*) are exempt from SHA-pinning. The @v1 tag is the correct, stable reference. SHA-pinning this line would break OIDC token validation.

Test plan

• CI passes on this PR
• Compliance audit no longer flags claude.yml as having an unpinned action

Closes #105

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow configuration to use a stable version reference, improving release consistency and reliability.

[coderabbitai]

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 23 minutes and 3 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4dbab225-6dc0-4404-8e63-40a081a90992

📥 Commits

Reviewing files that changed from the base of the PR and between 3c0c38f and aad84ee.

📒 Files selected for processing (1)

• actionlint

📝 Walkthrough

Walkthrough

The .github/workflows/claude.yml file is updated to pin its reusable workflow reference from @main to the stable @v1 tag. All other workflow structure, permissions, and secrets inheritance remain unchanged. This single-line change addresses the action-pinning compliance requirement.

Changes

Workflow Reference Pinning

Layer / File(s)	Summary
Workflow Reference Update .github/workflows/claude.yml	Reusable workflow uses: reference changed from petry-projects/.github/.github/workflows/claude-code-reusable.yml@main to @v1 tag.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related issues

• Compliance: unpinned-actions-claude.yml #105: This PR directly resolves the compliance finding flagged by this issue—the change pins the reusable workflow reference to @v1 instead of the unpinned @main branch, satisfying the action-pinning policy requirement.

Possibly related PRs

• petry-projects/.github#77: Earlier PR that introduced the reusable workflow delegation pattern in claude.yml; this PR pins that reference to stable @v1.
• petry-projects/.github#159: Documents and validates the use of @v1 for reusable workflow references, providing the stability framework this PR implements.
• petry-projects/.github#89: Adds audit enforcement that workflows must reference reusable workflows with @v1, which this PR satisfies.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: pinning the claude-code-reusable.yml workflow reference from @main to @v1.
Linked Issues check	✅ Passed	The PR successfully addresses issue #105 by changing the reusable workflow reference from @main to @v1, which complies with the action pinning policy for internal reusable workflows.
Out of Scope Changes check	✅ Passed	All changes in the PR are directly related to issue #105: updating the workflow reference to comply with action pinning policy; no unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-105-20260508-1731

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@petry-projects/org-leads — this PR is ready for review and merge. All required CI checks pass. It fixes the compliance finding by copying .github/workflows/claude.yml verbatim from the org template, changing @main → @v1 on the reusable workflow ref (internal refs use version tags, not branches, per ci-standards.md).

[Copilot]

Pull request overview

Updates the repository’s claude.yml Tier-1 workflow stub to match the org standard template and switch the reusable workflow reference from a branch ref (@main) to a version tag (@v1).

Changes:

• Adds the canonical “SOURCE OF TRUTH” header block from standards/workflows/claude.yml.
• Adds paths-ignore on the pull_request trigger for .github/workflows/claude.yml.
• Changes reusable workflow reference from claude-code-reusable.yml@main to @v1.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

The merge-base changed after approval.

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[donpetry-bot]

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[don-petry]

Dev-Lead Fix CI — failed

PR: #218 | SHA: b9092f27821790fd60c7a90991a1c31fd32cf185
Engine invocation failed after all retries.

[don-petry]

Dev-Lead Fix CI — failed

PR: #218 | SHA: 2715d44cb50124b2288e6479050dee8605ec9fbb
Engine invocation failed (exit 1)

[don-petry]

Dev-Lead Fix CI — exhausted

This PR has had 2 consecutive engine failures (timeouts or errors). Automated CI fixing has been paused to avoid consuming further tokens.

Reason for last failure: Engine invocation failed (exit 1)

To re-enable, delete this comment or push a new commit with a substantially different change.

[don-petry]

Dev-Lead Fix CI — failed

PR: #218 | SHA: 57e41dac35bf44d17ac09dbb02c62cdefff9c1fc
Engine invocation failed (exit 1)

[don-petry]

Dev-Lead Fix CI — exhausted

This PR has had 2 consecutive engine failures (timeouts or errors). Automated CI fixing has been paused to avoid consuming further tokens.

Reason for last failure: Engine invocation failed (exit 1)

To re-enable, delete this comment or push a new commit with a substantially different change.

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

[don-petry]

Dev-Lead — rebase (no-changes)

Agent reasoning

PR: #218
Rebased onto: main (62516a7)
Conflicts resolved: 1 file
- .github/workflows/claude.yml: modify/delete conflict — main had deleted the old
  version (31 lines, @main pin) as part of promoting dev-lead.yml (#301), while the
  PR modified it to add a header comment block and pin the reusable ref @main → @v1.
  Kept the PR's version per the "prefer PR changes" rule.
Push: success (forced update: 9444491 → 04bd613)
```
**Note:** The PR branch previously had 173 commits (kept in sync with main via repeated merges). After the rebase, it's a clean single commit on top of `origin/main`. The `claude-code-reusable.yml` file that existed on the old branch is no longer present — it was never part of this PR's commit, only inherited from merged-in main history that has since been superseded.

[don-petry]

Dev-Lead — waiting on PR blockers (intent: review-changes)

PR: #218
No changes were committed, but the PR still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews). The retry cron will re-attempt automatically. Next attempt after: 2026-06-08T23:14:59Z

[don-petry]

Note

I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically.
Next attempt after: 2026-06-08T23:14:59Z

[don-petry]

Dev-Lead — review-changes (applied)

Changes committed and pushed.

[don-petry]

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.