fix: exempt internal reusable workflow refs from action-pinning check

[don-petry]

Summary

• The check_action_pinning function in scripts/compliance-audit.sh was generating false-positive findings for petry-projects/.github reusable workflow refs (e.g. @v1 tags)
• standards/ci-standards.md#exception-internal-reusable-workflow-references explicitly exempts these refs from SHA pinning — they intentionally use tags and must NOT be SHA-pinned
• Added a grep -vE 'petry-projects/\.github/' exclusion to filter out these refs from the unpinned-action detection

Test plan

• Verify the compliance audit no longer flags dependabot-automerge.yml (or any other Tier 1 caller stub) for using @v1 on internal reusable workflow refs
• Verify the audit still flags genuine third-party actions pinned to tags (e.g. actions/checkout@v4)
• Run scripts/compliance-audit.sh with DRY_RUN=true to confirm no false-positive action-pinning findings in the .github repo

Closes #239

Generated with Claude Code

[coderabbitai]

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 21 minutes and 7 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2dfad306-7f88-4aaf-98c3-8795d5d9a66d

📥 Commits

Reviewing files that changed from the base of the PR and between 904d273 and fa50bc2.

📒 Files selected for processing (20)

• .github/workflows/agent-shield-reusable.yml
• .github/workflows/ci.yml
• .github/workflows/compliance-audit-and-improvement.yml
• .github/workflows/compliance-retrigger.yml
• .github/workflows/daily-org-status.yml
• .github/workflows/dependabot-rebase-reusable.yml
• .github/workflows/dependency-audit-reusable.yml
• .github/workflows/dependency-audit.yml
• .github/workflows/dev-lead.yml
• .github/workflows/feature-ideation-reusable.yml
• .github/workflows/feature-ideation-tests.yml
• .github/workflows/feature-ideation.yml
• .github/workflows/sonarcloud.yml
• .gitignore
• scripts/apply-repo-settings.sh
• scripts/compliance-audit.sh
• scripts/compliance-retrigger.sh
• scripts/org_status.sh
• standards/ci-standards.md
• standards/workflows/dev-lead.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-239-20260511-1242

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

CI is green (Lint, ShellCheck, AgentShield, SonarCloud all pass). CodeQL is still running but typically passes for bash-only changes.

Self-review notes:

• The grep -vE 'petry-projects/\.github/' exclusion correctly exempts all petry-projects/.github reusable workflow refs (both @v1 and @main) from the SHA-pinning check
• Uses an escaped dot (\.) so it only matches a literal dot, not any character
• Trailing / ensures we match the path separator and don't accidentally exempt an unrelated petry-projects/.github-other repo
• Consistent with other exemptions already in the script (e.g., -reusable.yml skip in check_workflow_permissions, .github repo skip in check_centralized_workflow_stubs)

@petry-projects/org-leads — this PR fixes a false-positive in the compliance audit. Ready for review and merge.

[gemini-code-assist]

Code Review

This pull request updates the compliance audit script to exempt internal reusable workflows from SHA-pinning requirements, aligning with organizational policy. The review feedback identifies a potential issue where the broad regex used for the exemption could lead to false negatives if the exclusion string appears within a comment on a line containing an unpinned third-party action. A more robust, anchored regex was suggested to ensure the exemption only applies to the action reference itself.

[gemini-code-assist]

The regex petry-projects/\.github/ is applied to the entire line, which can lead to false negatives if a workflow file contains comments referencing the internal repository on the same line as an unpinned third-party action (e.g., uses: actions/checkout@v4 # see petry-projects/.github/).

To ensure the exemption only applies to the action reference itself and to improve the robustness of the existing exclusions, I suggest anchoring the regex to the uses: directive and consolidating the exclusions into a single anchored pattern.

Suggested change

	unpinned=$(echo "$decoded" | grep -E '^\s*-?\s*uses:\s+[^#]*@' | grep -vE '@[0-9a-f]{40}' | grep -vE '(docker://|\.\/)' | grep -vE 'petry-projects/\.github/' || true)
	unpinned=$(echo "$decoded" | grep -E '^\s*-?\s*uses:\s+[^#]*@' | grep -vE '@[0-9a-f]{40}' | grep -vE '^\s*-?\s*uses:\s+(docker://|\.\/|petry-projects/\.github/)' || true)

[Copilot]

Pull request overview

Updates the org-wide compliance audit script to align check_action_pinning behavior with the documented exception that internal petry-projects/.github reusable workflows may use tag refs (e.g., @v1) instead of SHA pins, avoiding false-positive compliance findings.

Changes:

• Excludes petry-projects/.github reusable workflow references from the unpinned-action detection pipeline in scripts/compliance-audit.sh.
• Adds inline comments linking the exclusion to the corresponding standards exception section.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: dc45fcd0a7cc56e045e81aad46b41a1f9b52e3fc
Review mode: triage-approved (single reviewer)

Summary

Confirms the triage assessment. This is a 4-line change to scripts/compliance-audit.sh adding a grep -vE 'petry-projects/\.github/' exclusion to check_action_pinning, with a clear inline comment pointing at the relevant exception in standards/ci-standards.md. Internal reusable workflow refs intentionally use @v1 tags rather than SHA pins, and the previous logic was generating false-positive compliance findings against caller stubs like dependabot-automerge.yml.

Linked issue analysis

Closes #239 (Compliance: unpinned-actions-dependabot-automerge.yml). The issue is itself an auto-filed false-positive — it flagged petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@v1, which is exactly the kind of internal ref the new exclusion targets. Fix is substantively aligned with the issue.

Findings

• Scope is appropriately narrow. Only one function (check_action_pinning) is touched; existing exclusions for docker:// and ./ are preserved.
• Regex correctness. petry-projects/\.github/ correctly escapes the dot and includes a trailing /, so it won't spuriously exempt a hypothetical petry-projects/.github-other repo.
• Minor nit (non-blocking, noted by gemini-code-assist). The new grep -vE runs against full lines rather than the captured uses: ref. A line like uses: actions/checkout@v4 # see petry-projects/.github/... would be silently filtered, masking a real third-party finding. Probability is very low in practice, and the surrounding pipeline already partially mitigates via [^#]*@. A future hardening could anchor the exclusion to the @ portion of the ref. Not a blocker for this fix.
• No security regression. The exemption is policy-aligned (documented in standards/ci-standards.md#exception-internal-reusable-workflow-references); it does not weaken pinning for any third-party action.

CI status

All required checks green: Lint, ShellCheck, Agent Security Scan, AgentShield, SonarCloud, CodeQL, Claude Code, CodeRabbit, Dependency audit (ecosystem detector). Skipped jobs are conditional (Dependabot auto-merge, mention triggers, language-specific audits not applicable to this repo). SonarCloud Quality Gate passed with 0 new issues.

---

Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

The merge-base changed after approval.

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 802ad9bcaa94c13aa7383878957083951ad35997
Review mode: triage-approved (single reviewer)

Summary

Confirms the triage assessment. This is a 4-line change to scripts/compliance-audit.sh adding a grep -vE 'petry-projects/\.github/' exclusion to check_action_pinning, with an inline comment pointing at the documented exemption in standards/ci-standards.md#exception-internal-reusable-workflow-references. Since the prior (dismissed) review at c17229f, the only new commits are two merge-from-main commits (72305e4a, 802ad9bc) — no functional drift, the fix itself is unchanged.

Linked issue analysis

Closes #239 (Compliance: unpinned-actions-dependabot-automerge.yml), an auto-filed false-positive flagging petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@v1. That ref is exactly the kind of internal reusable workflow the new exclusion targets, and standards/ci-standards.md explicitly exempts these refs from SHA pinning. Substantively addressed.

Findings

• Scope is appropriately narrow. Only one function (check_action_pinning) is touched; existing exclusions for docker:// and ./ are preserved.
• Regex correctness. petry-projects/\.github/ correctly escapes the dot and includes a trailing /, so it won't spuriously exempt a hypothetical petry-projects/.github-other repo.
• Minor nit (non-blocking, previously noted by gemini-code-assist). The grep -vE runs against full lines rather than the captured uses: ref. A line like uses: actions/checkout@v4 # see petry-projects/.github/... would be silently filtered, masking a real third-party finding. Probability is very low in practice and the upstream [^#]*@ partially mitigates. A future hardening could anchor the exclusion to the @-ref portion; not a blocker.
• No security regression. The exemption is policy-aligned; it does not weaken pinning for any third-party action.
• Merge state. mergeable: MERGEABLE; mergeStateStatus: BLOCKED reflects review-required, not conflict. The earlier auto-rebase-conflict comment from 2026-05-12 has since been resolved by the two merge-from-main commits.

CI status

Green: CodeQL (Analyze actions) SUCCESS, CodeRabbit SUCCESS. Author-reported additional checks (Lint, ShellCheck, AgentShield, SonarCloud Quality Gate — 0 new issues) also passed.

---

Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 146bf90460a6ca6dfbd7b76cb94d9d9421d23b4c
Review mode: triage-approved (single reviewer)

Summary

Confirms the triage assessment. This is a 4-line change to scripts/compliance-audit.sh adding a grep -vE 'petry-projects/\.github/' exclusion to check_action_pinning, with an inline comment pointing at the documented exemption in standards/ci-standards.md#exception-internal-reusable-workflow-references. Since the prior approved review at 802ad9bc, the only new commits are two merge-from-main commits (a70a6ea0, 146bf904) that pull in unrelated upstream work (#281 auto-rebase fallback, #275 check-suite trigger fix); the fix itself is unchanged.

Linked issue analysis

Closes #239 (Compliance: unpinned-actions-dependabot-automerge.yml), an auto-filed false-positive flagging petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@v1. That ref is exactly the kind of internal reusable workflow the new exclusion targets, and standards/ci-standards.md explicitly exempts these refs from SHA pinning. Substantively addressed.

Findings

• Scope is appropriately narrow. Only one function (check_action_pinning) is touched; existing exclusions for docker:// and ./ are preserved.
• Regex correctness. petry-projects/\.github/ correctly escapes the dot and includes a trailing /, so it won't spuriously exempt a hypothetical petry-projects/.github-other repo.
• Minor nit (non-blocking, previously noted by gemini-code-assist). The grep -vE runs against full lines rather than the captured uses: ref. A line like uses: actions/checkout@v4 # see petry-projects/.github/... would be silently filtered, masking a real third-party finding. Probability is very low in practice and the upstream [^#]*@ partially mitigates. A future hardening could anchor the exclusion to the @-ref portion; not a blocker.
• No security regression. The exemption is policy-aligned; it does not weaken pinning for any third-party action.
• Merge state. mergeable: MERGEABLE; mergeStateStatus: BLOCKED reflects review-required, not conflict. The earlier auto-rebase-conflict comment from 2026-05-12 has since been resolved by the merge-from-main commits.

CI status

All required checks green: Lint, ShellCheck, Agent Security Scan, Secret scan (gitleaks), AgentShield, SonarCloud (Quality Gate passed — 0 new issues), CodeQL (Analyze actions), Claude Code, CodeRabbit, Dependency audit (ecosystem detector). Skipped jobs are conditional (Dependabot auto-merge, language-specific audits not applicable, mention-triggered Claude jobs).

---

Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

Superseded by automated re-review at 146bf90.

[donpetry-bot]

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

[don-petry]

Dev-Lead — rebase (no-changes)

Agent reasoning

PR: #242
Rebased onto: main
Conflicts resolved: 2 files
- .github/workflows/org-scorecard.yml: Kept HEAD's version — newer Scorecard version (v5.5.0 vs v5.1.1) with SHA verification, malformed-workflow error handling, and safer jq loop pattern
- AGENTS.md: Kept HEAD's version across all conflicts — HEAD contains all PR content plus extensive enhancements (Coding Standards, E2E Testing, Breaking Changes, Fail Loud, CI Quality Gates detail, Branch Protection, Multi-Agent Isolation, Stacked PRs, Structured Logging, CQRS sections)
Push: success
```

[don-petry]

Dev-Lead — fix-bot-comment (applied)

Changes committed and pushed.

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Dev-Lead Fix CI — applied

PR: #242 | SHA: bd8f63ce35784b42b28d59913c2ce7d798fb5f0a
Fix committed and pushed. Waiting for CI.

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push