fix(apply-rulesets): use Tier 1 reusable check names#94
Merged
Conversation
Closes #91. `scripts/apply-rulesets.sh` previously only knew about claude.yml, sonarcloud.yml, codeql.yml, and ci.yml when building required-status- checks lists. For claude.yml it composed `<workflow-display-name> / claude` (e.g. "Claude Code / claude") — but GitHub actually publishes reusable check names as `<caller-job-id> / <reusable-job-id-or-name>`, which is "claude-code / claude". The old format never matched real checks, so the rule was effectively never satisfied — which is why markets and bmad-bgreat-suite deadlocked at merge time after #87. Fix: - Drop the legacy claude.yml block. - Hardcode the new check names for the centralized workflows that ARE safe to require: `agent-shield / AgentShield` and `dependency-audit / Detect ecosystems`. - Document why claude-code / claude, the per-ecosystem dependency-audit jobs, dependabot-{automerge,rebase}, and feature-ideation are NOT required: claude-code's app-token validation deadlocks workflow PRs; per-ecosystem jobs report SKIPPED when their lockfile is absent and required-but-skipped fails the gate; the dependabot/feature-ideation jobs run on triggers other than regular PRs. After this lands, run `apply-rulesets.sh` against every petry-projects repo to converge on the new names. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughModified Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
|
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the org ruleset application script to require only the Tier 1 reusable workflow checks whose published check contexts are stable and safe to gate merges on, avoiding deadlocks caused by mismatched reusable-workflow check names.
Changes:
- Removes the legacy
claude.ymlrequired-check composition logic (workflow display name–based) from required check detection. - Adds required check contexts for Tier 1 centralized workflows that are safe to require (
agent-shield / AgentShield,dependency-audit / Detect ecosystems). - Documents why other centralized workflows are intentionally not required (e.g., claude-code, conditional per-ecosystem audits, dependabot-* and scheduled workflows).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
4 tasks
This was referenced Apr 17, 2026
don-petry
added a commit
to petry-projects/ContentTwin
that referenced
this pull request
Apr 18, 2026
Bring setup-rulesets.sh in sync with the live code-quality ruleset: - Add CodeQL, Lint, and Format to required_status_checks - Set strict_required_status_checks_policy to true - Explicitly exclude claude-code / claude (comment explains the deadlock it causes on workflow-modifying PRs per petry-projects/.github#94) Closes #81 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
don-petry
added a commit
to petry-projects/ContentTwin
that referenced
this pull request
May 20, 2026
* fix: update setup-rulesets.sh with correct required status checks Bring setup-rulesets.sh in sync with the live code-quality ruleset: - Add CodeQL, Lint, and Format to required_status_checks - Set strict_required_status_checks_policy to true - Explicitly exclude claude-code / claude (comment explains the deadlock it causes on workflow-modifying PRs per petry-projects/.github#94) Closes #81 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: use correct check context names in setup-rulesets.sh Correct the required status check contexts based on actual GitHub Actions check names observed on PRs: - CodeQL workflow with matrix produces "Analyze (actions)" not "CodeQL" - Add "agent-shield / AgentShield" (agent-shield.yml is present) - Add "dependency-audit / Detect ecosystems" (dependency-audit.yml is present) Also applies the corrected checks to the live ruleset immediately. Co-authored-by: don-petry <don-petry@users.noreply.github.com> * retrigger: bump workflows to run checks * docs: address Copilot review comments in setup-rulesets.sh - Fix ambiguous See: reference to use owner/repo:path format - Add context name legend documenting what each check represents, including that 'Analyze (actions)' is the CodeQL check context - Add audit command for verifying context names against live check runs Co-authored-by: Don Petry <don-petry@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Claude <claude@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 8, 2026
Closes #91. `scripts/apply-rulesets.sh` previously only knew about claude.yml, sonarcloud.yml, codeql.yml, and ci.yml when building required-status- checks lists. For claude.yml it composed `<workflow-display-name> / claude` (e.g. "Claude Code / claude") — but GitHub actually publishes reusable check names as `<caller-job-id> / <reusable-job-id-or-name>`, which is "claude-code / claude". The old format never matched real checks, so the rule was effectively never satisfied — which is why markets and bmad-bgreat-suite deadlocked at merge time after #87. Fix: - Drop the legacy claude.yml block. - Hardcode the new check names for the centralized workflows that ARE safe to require: `agent-shield / AgentShield` and `dependency-audit / Detect ecosystems`. - Document why claude-code / claude, the per-ecosystem dependency-audit jobs, dependabot-{automerge,rebase}, and feature-ideation are NOT required: claude-code's app-token validation deadlocks workflow PRs; per-ecosystem jobs report SKIPPED when their lockfile is absent and required-but-skipped fails the gate; the dependabot/feature-ideation jobs run on triggers other than regular PRs. After this lands, run `apply-rulesets.sh` against every petry-projects repo to converge on the new names. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 10, 2026
Closes #91. `scripts/apply-rulesets.sh` previously only knew about claude.yml, sonarcloud.yml, codeql.yml, and ci.yml when building required-status- checks lists. For claude.yml it composed `<workflow-display-name> / claude` (e.g. "Claude Code / claude") — but GitHub actually publishes reusable check names as `<caller-job-id> / <reusable-job-id-or-name>`, which is "claude-code / claude". The old format never matched real checks, so the rule was effectively never satisfied — which is why markets and bmad-bgreat-suite deadlocked at merge time after #87. Fix: - Drop the legacy claude.yml block. - Hardcode the new check names for the centralized workflows that ARE safe to require: `agent-shield / AgentShield` and `dependency-audit / Detect ecosystems`. - Document why claude-code / claude, the per-ecosystem dependency-audit jobs, dependabot-{automerge,rebase}, and feature-ideation are NOT required: claude-code's app-token validation deadlocks workflow PRs; per-ecosystem jobs report SKIPPED when their lockfile is absent and required-but-skipped fails the gate; the dependabot/feature-ideation jobs run on triggers other than regular PRs. After this lands, run `apply-rulesets.sh` against every petry-projects repo to converge on the new names. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 11, 2026
Closes #91. `scripts/apply-rulesets.sh` previously only knew about claude.yml, sonarcloud.yml, codeql.yml, and ci.yml when building required-status- checks lists. For claude.yml it composed `<workflow-display-name> / claude` (e.g. "Claude Code / claude") — but GitHub actually publishes reusable check names as `<caller-job-id> / <reusable-job-id-or-name>`, which is "claude-code / claude". The old format never matched real checks, so the rule was effectively never satisfied — which is why markets and bmad-bgreat-suite deadlocked at merge time after #87. Fix: - Drop the legacy claude.yml block. - Hardcode the new check names for the centralized workflows that ARE safe to require: `agent-shield / AgentShield` and `dependency-audit / Detect ecosystems`. - Document why claude-code / claude, the per-ecosystem dependency-audit jobs, dependabot-{automerge,rebase}, and feature-ideation are NOT required: claude-code's app-token validation deadlocks workflow PRs; per-ecosystem jobs report SKIPPED when their lockfile is absent and required-but-skipped fails the gate; the dependabot/feature-ideation jobs run on triggers other than regular PRs. After this lands, run `apply-rulesets.sh` against every petry-projects repo to converge on the new names. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 11, 2026
Closes #91. `scripts/apply-rulesets.sh` previously only knew about claude.yml, sonarcloud.yml, codeql.yml, and ci.yml when building required-status- checks lists. For claude.yml it composed `<workflow-display-name> / claude` (e.g. "Claude Code / claude") — but GitHub actually publishes reusable check names as `<caller-job-id> / <reusable-job-id-or-name>`, which is "claude-code / claude". The old format never matched real checks, so the rule was effectively never satisfied — which is why markets and bmad-bgreat-suite deadlocked at merge time after #87. Fix: - Drop the legacy claude.yml block. - Hardcode the new check names for the centralized workflows that ARE safe to require: `agent-shield / AgentShield` and `dependency-audit / Detect ecosystems`. - Document why claude-code / claude, the per-ecosystem dependency-audit jobs, dependabot-{automerge,rebase}, and feature-ideation are NOT required: claude-code's app-token validation deadlocks workflow PRs; per-ecosystem jobs report SKIPPED when their lockfile is absent and required-but-skipped fails the gate; the dependabot/feature-ideation jobs run on triggers other than regular PRs. After this lands, run `apply-rulesets.sh` against every petry-projects repo to converge on the new names. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 11, 2026
Closes #91. `scripts/apply-rulesets.sh` previously only knew about claude.yml, sonarcloud.yml, codeql.yml, and ci.yml when building required-status- checks lists. For claude.yml it composed `<workflow-display-name> / claude` (e.g. "Claude Code / claude") — but GitHub actually publishes reusable check names as `<caller-job-id> / <reusable-job-id-or-name>`, which is "claude-code / claude". The old format never matched real checks, so the rule was effectively never satisfied — which is why markets and bmad-bgreat-suite deadlocked at merge time after #87. Fix: - Drop the legacy claude.yml block. - Hardcode the new check names for the centralized workflows that ARE safe to require: `agent-shield / AgentShield` and `dependency-audit / Detect ecosystems`. - Document why claude-code / claude, the per-ecosystem dependency-audit jobs, dependabot-{automerge,rebase}, and feature-ideation are NOT required: claude-code's app-token validation deadlocks workflow PRs; per-ecosystem jobs report SKIPPED when their lockfile is absent and required-but-skipped fails the gate; the dependabot/feature-ideation jobs run on triggers other than regular PRs. After this lands, run `apply-rulesets.sh` against every petry-projects repo to converge on the new names. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 11, 2026
* Add multi-agent isolation strategy using git worktrees (#2)
* Add multi-agent isolation strategy using git worktrees
Define org-wide rules for running multiple AI agents concurrently
without conflicts: one worktree per agent, no overlapping file
ownership, tool-specific setup for Claude Code/Copilot/Codex/Cursor,
naming conventions, cleanup, and a pre-launch coordination checklist.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Address review comments: overlap detection, markdown fixes, branch clarity
- Add "Detecting File Overlap" subsection per CodeRabbit suggestion
- Reword origin/HEAD to reference default branch explicitly (Copilot)
- Qualify "name flows into branch" for manual worktrees (Copilot)
- Quote isolation: "worktree" consistently in YAML example (Copilot)
- Add git branch -D fallback for squash/rebase merges (Copilot)
- Fix markdown blank lines and language specifiers (CodeRabbit)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: Dependabot security-only update standards (#9)
Adds org-wide Dependabot security-only update standards: policy doc, dependabot.yml templates for all ecosystems, auto-merge workflow, and dependency-audit CI workflow.
* docs: add GitHub repository settings standards (#10)
* docs: add GitHub repository settings standards
Document the standard org and repo configurations including branch
protection, rulesets, merge settings, required integrations, labels,
and new-repo onboarding checklist.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- Improve merge settings rationale to clarify admin override purpose inline
- Replace vague protect-branches description with specific ruleset details
from the actual GitHub API configuration
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: correct settings values from API audit data
- Fix org default permission to 'write' (not 'read')
- Fix has_projects to 'true' (currently enabled on all repos)
- Fix has_wiki to 'true' (enabled on most repos)
- Fix squash commit message to COMMIT_MESSAGES (not PR body)
- Fix broodly stack label (TypeScript + Go, not Rust)
- Add installed GitHub Apps with dates from API audit
- Add compliance status table showing per-repo deviations
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: apply review feedback — rulesets, settings, and secrets
- Change wiki to disabled, discussions to enabled
- Change squash commit title to PR_TITLE
- Replace classic branch protection with rulesets-first approach
- Strengthen pr-quality ruleset: dismiss stale reviews, require last
push approval, require code owner review
- Abstract required checks into conditional code-quality ruleset
(removes repo-specific names, uses condition-based check mapping)
- Fix GitHub App secrets to reflect org-level inheritance
- Update new-repo checklist and compliance status accordingly
- Add migration note for classic → ruleset transition
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: require 2FA and align label onboarding checklist
- Set two-factor requirement to Required (was Disabled)
- Reference full standard label set in onboarding checklist
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: tighten org permission to read, make labels MUST
- Change default repo permission to 'read' (least privilege)
- Change labels from SHOULD to MUST for consistency with onboarding checklist
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: make all quality checks required on all repos
All five check categories (SonarCloud, CodeQL, Claude Code, CI, Coverage)
are now universally required. Ecosystem-specific configuration varies by
what languages/tools the repo contains — if an ecosystem is present, it
must be configured in the relevant checks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: remove ci-standards.md (belongs in PR #11, not this branch)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: consolidate secrets documentation, add CLAUDE_CODE_OAUTH_TOKEN
- Split secrets into org-level and repo-level sections
- Add CLAUDE_CODE_OAUTH_TOKEN to org secrets table
- Add SONAR_TOKEN and GCP secrets to repo-level table
- Align onboarding note with secrets sections
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: CodeQL rule-based, org-level secrets, remove repo-level section
- CodeQL definition now focuses on rule: all ecosystems must be configured
- Move SONAR_TOKEN to org-level secrets
- Remove repo-level secrets section — all standard CI secrets are org-level
- Simplify onboarding note
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Fix typo in repo-specific secrets note
Correct typo in the note about repo-specific secrets.
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: add CI/CD standards and workflow patterns (#11)
* docs: add CI/CD standards and workflow patterns
Document standard CI configurations across all repos including required
workflows, tech stack patterns, action pinning policy, permissions,
secrets inventory, and a gap analysis of current repo coverage.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address Copilot review feedback on CI standards
- Clarify that only Dependabot workflows have reusable templates;
CI/CodeQL/SonarCloud/Claude are documented as copy-and-adapt patterns
- Fix top-level permissions in CI example to use {} per permissions policy
- Add branches filter to SonarCloud pull_request trigger for consistency
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address CodeRabbit SHA pinning and Go version feedback
- Pin SHAs in SonarCloud, Claude Code, and auto-fix workflow examples
- Clarify that tech stack patterns use tags for illustration only
- Update Go version example to use 'stable' with note about pinning
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: clarify single-job workflow permissions policy
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: refine CI gap analysis and add version inconsistencies
- Mark markets Dependabot config as partial (missing npm ecosystem)
- Mark google-app-scripts auto-merge as older pattern
- Flag non-standard npm limit:10 on google-app-scripts
- Add CodeQL for TalkTerm to missing list
- Add version inconsistency section (SonarCloud, CodeQL, Claude Code)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: align CI standards with universal check requirements
All five quality checks (SonarCloud, CodeQL, Claude, CI, Coverage) are
required on every repo. Updated status table with Coverage column,
prioritized gap remediation list, and version alignment targets.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: CodeQL Friday noon EST, rule-based config, org-level secrets
- Change CodeQL schedule to Friday 12:00 PM EST (cron: 0 17 * * 5)
- Replace repo-specific language matrix with rule: all ecosystems
present in repo must be configured as CodeQL languages
- Move SONAR_TOKEN to org-level secrets
- Replace "Secrets by Repository" with "Organization-Level Secrets
for Standard CI" — all standard secrets are org-inherited
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add weekly compliance audit workflow (#12)
* feat: add weekly compliance audit workflow
Adds automated weekly audit that checks all petry-projects repos
against org standards (CI, Dependabot, settings, labels, rulesets)
and creates/updates/closes issues for each finding.
- Deterministic shell script for reliable, repeatable checks
- Claude Code Action job for standards improvement research
- Issues auto-assigned to Claude for remediation
- Summary notification for org owners
- Idempotent: updates existing issues, closes resolved ones
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address review findings in compliance audit
- Add retry error logging to gh_api helper
- Fix pnpm detection when package.json absent
- Fix empty ecosystem array display
- Replace heredoc with direct assignment for issue body
- Add jq error safety in close_resolved_issues
- Increase repo list limit to 500 with empty check
- Use process substitution instead of pipe subshell
- Add concurrency group and timeout to workflow
- Add timeout-minutes to audit job
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address CodeRabbit and Copilot review comments
- Handle single-job workflows with job-level permissions
- Add has_issues to required settings checks
- Soften CODEOWNERS wording (SHOULD not MUST per standards)
- Remove misleading issues:write from audit job permissions
- Rename repo_count to repos_with_findings for clarity
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: do not auto-close previous summary issues
Per feedback, only humans should close summary/notification
issues. Changed Claude prompt to explicitly not close them.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: run compliance audit every Friday at noon UTC
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: audit .github repo and add CLAUDE.md/AGENTS.md checks (#14)
* feat: audit .github repo and add CLAUDE.md/AGENTS.md checks
- Remove .github repo exclusion — it now gets audited like all
other repos (settings, labels, rulesets, workflows, etc.)
- Add check_claude_md: every repo must have a CLAUDE.md that
references AGENTS.md
- Add check_agents_md: every repo must have an AGENTS.md that
references the org-level .github/AGENTS.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address review comments on CLAUDE.md/AGENTS.md checks
- Point standard_ref to AGENTS.md (the actual source of truth)
- Upgrade missing-ref severities from warning to error (required)
- Tighten AGENTS.md org-ref grep to match .github/AGENTS.md only
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add full CI pipeline for .github repo (#15)
* feat: add full CI pipeline for .github repo
Adds all 6 required workflows per ci-standards.md:
- ci.yml: markdownlint, yamllint, actionlint, shellcheck, AgentShield
- codeql.yml: actions language analysis
- sonarcloud.yml: code quality scanning
- claude.yml: AI-assisted PR review
- dependabot-automerge.yml: auto-merge eligible PRs
- dependency-audit.yml: vulnerability scanning
Also adds:
- .github/dependabot.yml (github-actions ecosystem)
- .markdownlint-cli2.yaml (config for standards docs)
- sonar-project.properties
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: correct markdownlint SHA, use npx for AgentShield, remove duplicate CodeQL
- Fix markdownlint-cli2-action SHA to v9.0.0 (v20 doesn't exist)
- Use npx ecc-agentshield CLI instead of broken GitHub Action
- Remove codeql.yml — repo already has default CodeQL setup enabled
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: relax markdownlint rules, pin actionlint download
- Disable line-length, duplicate-heading, blanks-around-lists,
bare-urls rules — existing docs have many violations; fix
incrementally as separate PRs
- Replace curl|bash with pinned version download for actionlint
(fixes SonarCloud security hotspot)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: break long line in org-scorecard.yml for yamllint
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: make actionlint fail on errors, guard shellcheck glob
- Remove || true from actionlint on our own workflows (fail properly)
- Keep || true only for template workflows (expected placeholder issues)
- Guard shellcheck glob against missing scripts/ directory
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: ignore shellcheck style hints in actionlint
SC2129 (use grouped redirects) is a style suggestion, not a bug.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add SHA256 checksum verification for curl downloads
Addresses SonarCloud security hotspots by verifying checksums
on all binary downloads:
- actionlint 1.7.7 in ci.yml
- scorecard 5.1.1 in org-scorecard.yml
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: enforce MD041, add standards references to all YAML files
- Enable MD041 (first line heading) — all markdown files already comply
- Add header comment to each workflow YAML with purpose and link to
the org standard definition that governs it
- Add header comment to dependabot.yml
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: resolve all markdown lint violations and enable enforced rules (#24)
* fix: resolve all markdown lint violations, enable enforced rules
Enable previously-disabled markdownlint rules:
- MD013 (line length 200, excluding tables/code blocks)
- MD024 (duplicate headings, siblings only)
- MD032 (blanks around lists)
- MD034 (no bare URLs)
Fix 54 violations across 3 files:
- AGENTS.md: wrap 44 long lines, add 6 blank lines around lists,
wrap 3 bare URLs in angle brackets
- standards/ci-standards.md: 1 blank line around list
- standards/dependabot-policy.md: 1 blank line around list
Also add .claude/ and node_modules/ to markdownlint ignore list.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: indent list continuations, correct issue trigger security note
- Fix 7 locations in AGENTS.md where wrapped list items had
unindented continuation lines (breaks Markdown rendering)
- Fix ci-standards.md issue trigger security note: triage role
can also label, and compliance audit uses its own label
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add checkout step to Claude Code standard configuration (#26)
The claude-code-action requires the repository to be checked out before
it can run git operations for issue-triggered branch setup. Without
actions/checkout, issue-triggered runs fail with:
fatal: not a git repository
All org repos have already been updated with this fix.
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add AgentShield CI standard and agent-shield.yml workflow template (#25)
Adds AgentShield as the 7th required CI workflow with org standard and reusable template.
* fix: add agent-shield.yml to required workflows in compliance audit
The audit script's REQUIRED_WORKFLOWS array was not updated when
AgentShield was added as the 7th required workflow. Repos missing
agent-shield.yml will now be flagged as compliance findings.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add claude label to compliance audit issues
Issues need the claude label so the Claude Code workflow picks them
up for auto-remediation. The script was only applying compliance-audit.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: extend compliance audit with CI/automation health survey (#13)
Replaces compliance-audit.yml with compliance-audit-and-improvement.yml,
extending the existing weekly compliance audit with runtime health
telemetry and a forward-looking best practices research phase.
Architecture (3 jobs):
Job 1 — Compliance Audit (unchanged)
Deterministic shell script checking all repos against org standards.
Creates/updates/closes compliance issues per finding.
Job 2 — Health Survey (new)
Collects runtime telemetry across all org repos:
CI run failures (7d), security alerts (Dependabot/secret/code scanning),
PR staleness, branch protection status, workflow inventory.
Job 3 — Analyze & Create Issues (Claude, rewritten)
Six-phase analysis combining both datasets:
1. Load compliance + health data and org standards
2. Correlate and categorize findings by severity
3. Research root causes and automation opportunities
4. Evaluate against industry best practices and emerging capabilities
(agentic guardrails, supply chain integrity, reliability SLOs, etc.)
— outputs only standards proposals, not implementation issues
5. Create issues: repo-specific go in that repo, org-wide in .github,
every issue gets the claude label for agent pickup
6. Summary report to step summary
Issue rules:
- Every issue must have the `claude` label
- Repo-specific issues are created in that repo
- Org-wide and standards proposals go in .github
- Deduplicates against existing open issues
- Max 3 standards-improvement + 3 best-practices proposals per run
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: handle gh api 403/404 responses in health survey
The gh api command with --jq outputs error JSON to stdout on 403/404
before the fallback runs, producing concatenated invalid output like
'{"message":"..."}0'. This broke integer comparisons and jq parsing.
Fix: use if/else on exit code for all gh api calls (security alerts,
branch protection, workflow inventory) instead of `|| echo` fallbacks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add dependabot-rebase workflow standard (#52)
* feat: add dependabot-rebase workflow to unblock auto-merge serialization
When strict status checks require branches to be up-to-date, merging one
Dependabot PR makes others fall behind. Dependabot only rebases on its
weekly schedule, leaving auto-merge stalled. This workflow triggers on
push to main and comments @dependabot rebase on behind PRs, preserving
Dependabot's commit signature for fetch-metadata verification.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use API merge method and add direct merge step
Based on testing in google-app-scripts:
- @dependabot rebase only works from human users, not bots
- API rebase breaks Dependabot ownership; API merge preserves it
- GitHub auto-merge (--auto) fails due to BLOCKED mergeable_state
- Add direct merge step and skip-commit-verification to automerge
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add concurrency group to prevent overlapping runs
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use correct claude-code-action input names
The action accepts `prompt` (not `direct_prompt`) and `claude_args`
(not `timeout_minutes`/`allowed_tools`). The previous inputs were
silently ignored, causing Claude to never run.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore(deps): Bump actions/download-artifact from 4.3.0 to 8.0.1 (#16)
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.3.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/d3f86a106a0bac45b974a628896c90dbdf5c8093...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c)
---
updated-dependencies:
- dependency-name: actions/download-artifact
dependency-version: 8.0.1
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump pnpm/action-setup from 4.1.0 to 5.0.0 (#17)
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 4.1.0 to 5.0.0.
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](https://github.com/pnpm/action-setup/compare/a7487c7e89a18df4991f7f222e4898a00d66ddda...fc06bc1257f339d1d5d8b3a19a8cae5388b55320)
---
updated-dependencies:
- dependency-name: pnpm/action-setup
dependency-version: 5.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#18)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/ea165f8d65b6e75b540449e92b4886f43607fa02...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f)
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: 7.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump actions/setup-go from 5.5.0 to 6.4.0 (#20)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/d35c59abb061a4a6fb18e82ac0862c26744d6ab5...4a3601121dd01d1626a1e23e37211e3254c1c06c)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-version: 6.4.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump actions/checkout from 4.2.2 to 6.0.2 (#21)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4.2.2...de0fac2e4500dabe0009e67214ff5f5447ce83dd)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: 6.0.2
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump actions/setup-node from 4.4.0 to 6.3.0 (#23)
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.4.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v4.4.0...53b83947a5a98c8d113130e565377fae1a50d02f)
---
updated-dependencies:
- dependency-name: actions/setup-node
dependency-version: 6.3.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump anthropics/claude-code-action from 1.0.83 to 1.0.89 (#22)
Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.89.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](https://github.com/anthropics/claude-code-action/compare/v1.0.83...6e2bd52842c65e914eba5c8badd17560bd26b5de)
---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
dependency-version: 1.0.89
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix: remove claude_args causing exit code 1
The --allowedTools and --timeout flags passed via claude_args caused
Claude Code to exit immediately with code 1. Removing claude_args
to use defaults — the job-level timeout (45min) and permissions
(contents:read, issues:write) provide sufficient guardrails.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: split Claude workflow into interactive + issue automation jobs (#54)
* feat: split Claude workflow into interactive + issue automation jobs
The single-job Claude workflow created branches for issue-labeled triggers
but never opened PRs — requiring a human to click through. Split into two
jobs so issue-triggered work runs in automation mode with a prompt that
drives the full lifecycle: implement, create PR, self-review, resolve
comments, check CI, and tag the maintainer.
Updates both the workflow and the ci-standards.md standard definition.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use CODEOWNERS for maintainer tagging instead of hardcoded username
The claude-issue prompt now reads CODEOWNERS at runtime to determine
who to tag when a PR is ready. This removes the need for per-repo
customization of the prompt.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: require GitHub Discussions on all repos (#53)
* feat: require GitHub Discussions on all repos with standard categories
Elevate Discussions from optional community feature to required org standard.
Add Discussions Configuration section defining required categories (Ideas,
General) and automated ideation workflow integration. Promote has_discussions
audit check from warning to error via REQUIRED_SETTINGS_BOOL.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: require feature-ideation workflow for BMAD Method repos
Add bmad-method ecosystem detection (looks for _bmad/ directory) and
conditionally require feature-ideation.yml workflow. Add CI Standards
section 8 documenting the conditional workflow. Update ecosystem table
in github-settings.md to include bmad-method.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address review comments — severity levels and requirement language
- Extend REQUIRED_SETTINGS_BOOL tuple format to include per-entry severity
(key:expected:severity:detail) instead of hardcoding all as warning
- Set has_discussions and has_issues to error severity; others remain warning
- Change feature-ideation.yml finding from warning to error for BMAD repos
- Change SHOULD to MUST for BMAD ideation workflow requirement in standards
Addresses CodeRabbit and Copilot review comments on PR #53.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: grant claude-issue job tools to create PRs and check CI (#55)
The claude-issue job had no access to `gh` CLI or file editing tools,
so Claude could implement and push but never actually open a PR.
Added --allowedTools for gh pr create/view, gh run view/watch, cat,
Edit, and Write so the automation prompt can execute end-to-end.
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add apply-repo-settings.sh to remediate compliance findings (#56)
Adds `scripts/apply-repo-settings.sh`, a companion to `compliance-audit.sh`
that applies all standard repository settings defined in
`standards/github-settings.md#repository-settings--standard-defaults`.
Addresses the `allow_auto_merge` compliance finding (issue #42) and any
other boolean/merge-config drift across org repos.
Usage (after merging, run with an admin token):
GH_TOKEN=<admin-token> ./scripts/apply-repo-settings.sh .github
GH_TOKEN=<admin-token> ./scripts/apply-repo-settings.sh --all
Closes #42
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: add concurrency guard and comment tools to claude-issue job
- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools so Claude can
post review replies, resolve threads, and tag code owners
- Remove Bash(cat:*) since the Read tool already covers file reads
Addresses review feedback from CodeRabbit and Copilot across org PRs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add GH_TOKEN preflight check to compliance-audit.sh (#60)
Adds an early-exit preflight check at the top of main() that:
1. Fails fast with a clear error if GH_TOKEN is unset
2. Runs gh auth status to verify the token is valid before proceeding
Previously, auth failures manifested deep in the script as cryptic
gh CLI errors rather than a clear authentication failure.
Note: the step-level GH_TOKEN env var in the workflow also needs
to be added manually (cannot be done here due to workflow permissions).
See issue #30 for the required one-line workflow change.
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: replace unpinned dtolnay/rust-toolchain action with rustup in dependency-audit.yml (#72)
fix: replace unpinned dtolnay/rust-toolchain action with rustup
Replaces `uses: dtolnay/rust-toolchain@stable` (unpinned action) with a
direct `rustup toolchain install stable --profile minimal` run step.
The action was used with no parameters so this is functionally identical.
Using a run step eliminates the action-pinning compliance finding since
`run:` steps are not subject to the SHA pinning requirement.
Closes #41
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: add claude.yml template + checkout audit check (#63)
fix: add claude.yml template + checkout audit check (#33)
Root cause: the recent org-wide PRs added checkout only to the
claude-issue job, leaving the claude job (PR reviews / @claude
mentions) without one. claude-code-action reads CLAUDE.md and
AGENTS.md from the working tree; without checkout it errors on
every PR-triggered run.
Changes:
- standards/workflows/claude.yml: canonical copy-paste template
with checkout in both jobs, matching the other templates in
standards/workflows/. Both checkout steps are annotated as
REQUIRED to prevent silent removal.
- scripts/compliance-audit.sh: new check_claude_workflow_checkout()
detects any repo whose claude or claude-issue job is missing
checkout and raises an error finding. Wired into the main audit
loop so weekly scans surface affected repos automatically.
- standards/ci-standards.md: added a visible callout that both jobs
need checkout and a pointer to the new template file.
Closes #33
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: add has_discussions and has_issues to apply-repo-settings.sh (#59)
Extends the remediation script to include has_discussions and has_issues
settings from standards/github-settings.md#repository-settings--standard-defaults.
Previously the script only covered merge settings, leaving discussions and
issue-tracking compliance gaps unaddressed.
Closes #58
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: auto-create required labels during compliance audit (#67)
fix: auto-create required labels during compliance audit and settings apply
Adds ensure_required_labels() to compliance-audit.sh so all 6 required
labels (security, dependencies, scorecard, bug, enhancement, documentation)
are idempotently created during each audit run, eliminating the
missing-label-* compliance finding category.
Also extends apply-repo-settings.sh with apply_labels() so the remediation
script covers labels alongside repository settings.
Closes #46
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* feat: add apply-rulesets.sh to create code-quality ruleset (#71)
* feat: add apply-rulesets.sh to create code-quality ruleset
Adds scripts/apply-rulesets.sh — an IaC script that creates or updates
the code-quality repository ruleset (required status checks) for any
petry-projects repo via the GitHub API.
The script:
- Auto-detects which CI workflows are present and derives the correct
GitHub Actions check context strings (<workflow-name> / <job-name>)
- Supports --dry-run to preview without applying
- Creates or updates the ruleset idempotently (POST or PUT)
- Supports --all to run across every non-archived org repo
Closes #49
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: remove dead workflow_job_names function; guard empty checks array
- Remove unused workflow_job_names() helper — dead code never called
- Guard printf against empty array with set -u on older bash versions
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: restore executable bit on apply-rulesets.sh
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: address Dependabot major version updates and markdownlint v23 compatibility (#68)
- Disable new markdownlint rules enabled by default in v23 (MD049, MD050,
MD054, MD055, MD056, MD058) to prevent CI failures when Dependabot PR #19
(markdownlint-cli2-action v9→v23) is merged
- Sync standards/workflows/dependency-audit.yml to action versions currently
in the live workflow: actions/checkout v6.0.2, actions/setup-node v6.3.0,
and updated pnpm/action-setup and actions/setup-go patch SHAs
Note: .github/workflows/ files require manual edits (no workflow write permission):
- dependabot-automerge.yml: add skip-commit-verification: true to fix PR #22
- dependency-audit.yml: correct 6 version comments (SHA updated but comment still says v4/v5)
Closes #36
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: add app secrets guard and skip-commit-verification to dependabot workflows (#69)
* fix: add app secrets guard and skip-commit-verification to dependabot workflows
- Add `Check app secrets` step to all three dependabot workflow files so
missing APP_ID/APP_PRIVATE_KEY secrets produce a clear, actionable error
instead of the cryptic [@octokit/auth-app] appId option is required message
- Add `skip-commit-verification: true` to dependabot/fetch-metadata in
.github/workflows/dependabot-automerge.yml so it accepts the GitHub-authored
merge commits produced by the dependabot-rebase workflow
Closes #29
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: shorten error message lines to satisfy 200-char yamllint rule
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* feat: add org profile README (#61)
Creates profile/README.md with org overview, project table, standards
summary, and contribution guidelines.
Closes #37
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: update Node.js runtime examples from 20 to 24 in CI standards docs (#62)
* fix: update Node.js runtime from 20 to 24 across CI config and docs
Node.js 20 runtime is deprecated; GitHub will force Node.js 24 on
June 2 2026 and remove Node.js 20 entirely on September 16 2026.
- ci.yml: pin agent-security job to node-version '24'
- standards/ci-standards.md: update npm and pnpm pattern examples
Closes #34
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* revert: restore ci.yml to previous state (workflow permission not available)
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* docs: update compliance status and add bash 4+ requirement (#73)
* docs: update compliance status and add bash 4+ requirement
- Update Current Compliance Status table: all repo settings are now
fully compliant after bulk remediation; document remaining ruleset gaps
- Add Bash 4+ requirement note to apply-repo-settings.sh (uses
associative arrays, incompatible with macOS default Bash 3.2)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add bash 4+ runtime check to apply-repo-settings.sh
Addresses Copilot review: fail fast with actionable message instead of
cryptic declare -A error on macOS Bash 3.2.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore(deps): Bump DavidAnson/markdownlint-cli2-action from 9.0.0 to 23.0.0 (#19)
chore(deps): Bump DavidAnson/markdownlint-cli2-action
Bumps [DavidAnson/markdownlint-cli2-action](https://github.com/davidanson/markdownlint-cli2-action) from 9.0.0 to 23.0.0.
- [Release notes](https://github.com/davidanson/markdownlint-cli2-action/releases)
- [Commits](https://github.com/davidanson/markdownlint-cli2-action/compare/5b7c9f74fec47e6b15667b2cc23c63dff11e449e...ce4853d43830c74c1753b39f3cf40f71c2031eb9)
---
updated-dependencies:
- dependency-name: DavidAnson/markdownlint-cli2-action
dependency-version: 23.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feat: prevent duplicate agent PRs via in-progress labels and umbrella issues (#76)
* feat: prevent duplicate agent PRs via in-progress labels and umbrella issues
- Add `in-progress` label (#fbca04) to standard label set in github-settings.md
and apply-repo-settings.sh so all repos have it available for agents to claim issues
- Add `in-progress` to compliance-audit.sh REQUIRED_LABELS and ensure_required_labels()
so the audit enforces its presence across repos
- Remove `--label "claude"` from individual compliance finding issues; individual issues
now only get the `compliance-audit` label so multiple agents don't race on them
- Add create_umbrella_issue() to compliance-audit.sh: after each audit run, one umbrella
issue is created in petry-projects/.github grouping all findings by remediation category.
Only the umbrella gets the `claude` label, triggering one coordinated agent run instead
of N competing agents each fixing the same script/file
- Add "Multi-Agent Issue Coordination" section to AGENTS.md with:
- Claim-before-work protocol (check in-progress label, check for open PRs, claim before
writing code, release claim on abandonment)
- File-conflict check (search open PRs for the target file before creating it)
- Compliance umbrella issue guidance (work from umbrella, fix whole category per PR)
Closes #75
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: declare body separately in create_umbrella_issue to satisfy ShellCheck SC2155
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* feat: reusable Claude Code workflow with workflows write permission (#77)
feat: extract reusable Claude Code workflow with GH_PAT_WORKFLOWS support
Centralizes the Claude Code prompt and config into a reusable workflow
(claude-code-reusable.yml) so repo-level claude.yml files are thin callers.
Adds github_token input using GH_PAT_WORKFLOWS secret to grant workflows
write permission, unblocking Claude from pushing .github/workflows/ changes.
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add pr-quality ruleset support to apply-rulesets.sh
Adds build_pr_quality_ruleset_json() function and updates apply_rulesets()
to create/update the pr-quality ruleset on each repo, per the standard
defined in standards/github-settings.md.
Ruleset enforces:
- 1 required approving review
- Dismiss stale reviews on push
- Require code owner review
- Require last push approval
- All review threads resolved before merge
- Linear history (squash-only merges)
- No force pushes, no branch deletion
Bypass actors: OrganizationAdmin (always), dependabot-automerge-petry (pull_request).
Also removes stale TODO note from standards/github-settings.md about
pr-quality support being missing from the script.
Closes #48
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* feat: add CODEOWNERS file for code owner review enforcement
Adds .github/CODEOWNERS assigning @don-petry as default owner for all files.
Satisfies the pr-quality ruleset requirement for code owner reviews (the
"Require code owner review" setting has no effect without a CODEOWNERS file).
Closes #50
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* Add Feature Ideation workflow as standard for BMAD-enabled repos (#81)
* feat: add Feature Ideation workflow as a standard for BMAD-enabled repos
Promotes the BMAD Analyst (Mary) feature ideation workflow piloted in
petry-projects/TalkTerm to an org-wide standard for any repo with BMAD
Method installed.
Adds:
- standards/workflows/feature-ideation.yml — the canonical template,
generalised from TalkTerm. Customisation surface is a single
PROJECT_CONTEXT env var that describes the project and its market.
- standards/ci-standards.md §8 rewrite — documents the multi-skill
ideation pipeline (Market Research → Brainstorming → Party Mode →
Adversarial), the Opus 4.6 model requirement, the github_token
permissions gotcha, and the show_full_output secrets hazard.
- standards/agent-standards.md — adds a "BMAD Method Workflows"
section linking the standard from the agent ecosystem docs.
The four critical gotchas baked into the template were each discovered
empirically during the TalkTerm pilot and would silently regress without
the inline comments. Most importantly: the action's auto-generated
claude[bot] App token lacks discussions:write, so the workflow MUST
pass github_token: ${{ secrets.GITHUB_TOKEN }} explicitly or every
Discussion mutation fails silently while the run reports success.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: split feature-ideation into reusable workflow + thin caller stub
Avoids ~600 lines of prompt duplication across every BMAD-enabled repo and
makes the multi-skill ideation pipeline tunable in one place — changes here
propagate to every adopter on next scheduled run.
- .github/workflows/feature-ideation-reusable.yml — the actual reusable
workflow (workflow_call). Contains both jobs (signal collection +
analyst), the full Phase 1-8 prompt, and the four critical gotchas
(Opus 4.6 model, github_token override, no show_full_output, structural
Phase 2-5 sequence) hard-coded so they cannot regress.
- standards/workflows/feature-ideation.yml — replaced the 600-line copy
with a ~60-line caller stub that only defines the schedule, the
workflow_dispatch inputs, and a single required parameter:
project_context.
- standards/ci-standards.md §8 — documents the reusable + caller stub
architecture, the inputs/secrets contract, and updated adoption steps.
Reference implementation pointer updated to note that TalkTerm is now
also a thin caller stub.
Inputs exposed by the reusable workflow:
- project_context (required) — project description for Mary
- focus_area (default '') — typically wired to workflow_dispatch
- research_depth (default 'standard')
- model (default 'claude-opus-4-6') — escape hatch only
- timeout_minutes (default 60)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(lint): add shellcheck disable for GraphQL variable false positive
The gh api graphql queries use $repo / $owner / $categoryId as GraphQL
variables (not shell expansions), which must remain in single quotes.
shellcheck SC2016 fires anyway — disable it for this script.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(lint): use quoted heredocs for GraphQL queries to satisfy SC2016
actionlint runs shellcheck on the entire run script as one unit and ignores
inline disable directives. Rewriting the gh api graphql calls to use
cat <<'GRAPHQL' heredocs makes the GraphQL variable references ($repo,
$owner, $categoryId) shell-inert without depending on single-quoted
string literals — eliminating the SC2016 false positive.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: expand prompt variables via Actions expressions, add placeholder guard
CodeRabbit caught a critical latent bug inherited from the original TalkTerm
prompt: shell-style $VAR and $(date) syntax inside the action's `prompt:`
input is NOT expanded — the action receives literal text. This silently
broke variable substitution in every prior run, but mattered most for the
new reusable workflow because PROJECT_CONTEXT is now load-bearing.
Changes:
- Replace $PROJECT_CONTEXT, $FOCUS_AREA, $RESEARCH_DEPTH, and $(date ...)
with ${{ inputs.* }} and ${{ github.run_started_at }} expressions, which
ARE evaluated by GitHub before passing the prompt to the action.
- Add a "Validate project_context is customised" pre-step that fails fast
if an adopter copied the caller stub without replacing the TODO
placeholder. Prevents wasted Opus runs producing generic Discussions.
- scripts/compliance-audit.sh: detect BMAD repos via `_bmad-output/` as
well as `_bmad/`, matching the broader detection rule documented in
ci-standards.md §8 (TalkTerm only has `_bmad-output/`).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(lint): drop github.run_started_at (not in actionlint context schema)
The agent can read scan_date from signals.json instead — added a hint
in the Environment section.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(caller): grant cascading permissions on the calling job
CodeRabbit caught: the caller stub had `permissions: {}` at workflow
level and no permissions block on the calling job. Reusable workflows
inherit permissions from the calling job — without an explicit grant,
the reusable workflow's `discussions: write` declaration would have
nothing to apply, and Discussion mutations would fail with FORBIDDEN
just like the original bug we fixed in TalkTerm.
The reusable workflow's job-level permissions are documentation of
what it needs; the caller is what actually grants them.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use claude_args --model interface; instruct re-query before create
Two more fixes from CodeRabbit review:
1. Model selection via claude_args (the documented v1 interface)
instead of ANTHROPIC_MODEL env var. claude_args takes precedence over
the env var per the action's docs, so depending on the env var was
relying on undocumented behavior. The pinned v1.0.89 happens to honor
ANTHROPIC_MODEL too (verified in TalkTerm run #3 logs), but the
documented path is more robust against future action upgrades.
2. Re-query existing Ideas discussions before each create. The signals
snapshot only fetches the first page of discussions (GraphQL caps
connections at 100 per page) and only covers the Ideas category, not
the General fallback. Mary now does a fresh query before each create
to avoid duplicates in repos with >100 idea threads or where Ideas
doesn't exist.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: pass GH_PAT_WORKFLOWS to actions/checkout so git push uses workflow-scoped token (#82)
* fix: auto-create missing required labels during compliance audit (#79)
Replace passive `missing-label-*` findings with active label creation.
`check_labels()` now calls `gh label create --force` for any required
label absent from a repo. A compliance finding is only filed if creation
fails (insufficient permissions) or when running in DRY_RUN mode.
Resolves the recurring `missing-label-scorecard` finding (#47) by
creating the label on the next audit run rather than just reporting it.
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: encode compliance-fix learnings into standards and Claude prompt (#86)
* fix(claude-action): grant administration:write, allow gh api/label create, add standards-conformance prompt rules
* docs(ci-standards): add 'Using Templates' section, SHA lookup procedure, document administration:write
* docs(AGENTS): link standards root and per-topic standards files at top of file
* docs(AGENTS): wrap standards-rule paragraph to satisfy MD013 line-length
* fix(claude-action): yamllint disable for long allowedTools line
* fix(claude-action): remove invalid 'administration' permission scope; document GH_PAT_WORKFLOWS as the actual mechanism
* docs(ci-standards): replace bogus 'administration: write' note with explanation of how admin ops actually work via GH_PAT_WORKFLOWS
* feat(workflows): centralize standards via reusable workflows (#87)
* feat(workflows): centralize standards via reusable workflows
Build org-wide reusable workflows for the four standards that previously
required full inline copies in every downstream repo, and migrate the
matching standards/workflows/*.yml templates to thin caller stubs that
delegate via `uses: petry-projects/.github/.github/workflows/*-reusable.yml@main`.
This extends the pattern already proven by feature-ideation and the
existing claude-code-reusable workflow to the rest of the standard set:
- dependency-audit-reusable.yml (zero per-repo config)
- dependabot-automerge-reusable.yml (uses secrets: inherit for APP_*)
- dependabot-rebase-reusable.yml (uses secrets: inherit for APP_*)
- agent-shield-reusable.yml (inputs for severity/required-files/org-ref)
The standards/workflows/claude.yml template was also still the inline
115-line version even though claude-code-reusable.yml has existed for
weeks; migrate it to a stub matching the central repo's own claude.yml.
Each migrated stub now carries a uniform "SOURCE OF TRUTH" header block
telling agents what they may and may not edit. Net effect: ~580 lines
removed from standards/workflows, single point of maintenance for the
five centralizable workflows.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(workflows): grant read permissions to dependabot caller stubs
Reusable workflows can be granted no more permissions than the calling
workflow has. The dependabot-automerge and dependabot-rebase stubs had
`permissions: {}` at workflow level with no job-level overrides, which
intersected to zero — the reusable's `gh pr ...` calls would fail
because GITHUB_TOKEN had no scopes.
Fix: declare `contents: read` and `pull-requests: read` on the calling
job, matching the scopes the reusable's job already declares. Caught
by Copilot review on #87.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs(workflows): note permissions stanza in immutable-stub contract
CodeRabbit follow-up on #87: now that the dependabot stubs declare a
job-level permissions block (required for the reusable's gh API calls),
add it to the "MUST NOT change" list so future adopters don't strip it.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(workflows): pin reusable callers to @v1 and document tier model (#88)
* feat(workflows): pin all reusable callers to @v1 + add tier model
Pins all stubs in standards/workflows/ and the central repo's own
.github/workflows/claude.yml from @main to @v1. From here on, a bad
commit on main cannot break every downstream repo simultaneously —
breaking changes will publish v2 and downstream repos opt in.
Adds a "Centralization tiers" section to ci-standards.md documenting
the three tiers (stub / per-repo template / free per-repo) so future
agents know whether a workflow file is editable, what they may tune,
and where to send fixes when behavior needs to change.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* revert(workflows): keep central claude.yml caller at @main in this PR
claude-code-action validates that .github/workflows/claude.yml in a PR
is byte-identical to main, so updating it within a normal PR is
impossible — the validation fails before the merge can land. Updating
the central repo's own caller will be done as a tiny separate change
after this lands.
Standards stubs remain pinned to @v1 — that is the change that matters
for downstream repos.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(workflows): unify feature-ideation header + correct tier doc
Address Copilot review on #88:
1. feature-ideation.yml: prepend the same SOURCE OF TRUTH header block
used by the other Tier 1 stubs so the claim "Tier 1 stubs all carry
an identical header" is actually true.
2. ci-standards.md tier table: drop the inaccurate "~30-line" claim
(feature-ideation.yml is ~95 lines because of the `project_context`
input). Replace with "thin caller stub" and call out feature-ideation's
required input alongside agent-shield's optional ones.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(compliance-audit): detect non-stub centralized workflow copies (#89)
* feat(compliance-audit): detect non-stub centralized workflow copies
Adds a new check to compliance-audit.sh that flags downstream repos
whose Tier 1 workflows are not the canonical thin caller stubs pinned
to @v1. For each centralizable workflow (claude, dependency-audit,
dependabot-{automerge,rebase}, agent-shield, feature-ideation), the
check distinguishes three failure modes for actionable findings:
1. Inline copy of pre-centralization logic
→ "is an inline copy instead of a thin caller stub"
2. References the reusable but not pinned to @v1 (e.g. @main, @v0)
→ "references the reusable but is not pinned to @v1"
3. Some other malformed uses: line
→ "the uses: line does not match the canonical stub"
The central .github repo is exempt because it owns the reusables and
may legitimately reference them by @main during release preparation.
Verified locally with hand-crafted fixtures: stub@v1 → no finding,
stub@main → flagged with the @v1 message, inline copy → flagged with
the inline message, missing file → no finding (handled by
check_required_workflows).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(compliance-audit): use fixed-string grep for reusable path match
CodeRabbit on #89: the second-branch grep used an unescaped
"petry-projects/.github/.github/workflows/${reusable}" pattern,
where BRE dots could in principle match any character. Switch to
\`grep -F\` (fixed-string) to match the path literally. No real-world
false positive observed (workflow paths contain literal dots), but
the hygiene is right.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(compliance-audit): anchor uses: regex + reduce per-repo API calls
Address remaining Copilot review feedback on #89:
1. Anchor the \`uses:\` regex to start-of-line + optional indent
(\`^[[:space:]]*uses:\`) so a commented \`# uses: ...@v1\` line
cannot fool the check into marking an inline workflow as compliant.
Verified with a fixture: a workflow whose only mention of @v1 is in
a YAML comment is now correctly flagged.
2. List \`.github/workflows/\` once per repo and short-circuit the
per-file check when the workflow isn't present, instead of probing
each of the six centralized files individually. Cuts up to 5 wasted
gh api calls per repo (worst case ~2500 fewer requests across the
org per audit run).
3. Drop the misleading "missing workflow caught by check_required_workflows"
comment — only some of the six are required (claude, dependency-audit,
dependabot-automerge, agent-shield); dependabot-rebase and feature-ideation
are intentionally optional/conditional. The new directory-listing
short-circuit handles all of these uniformly.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(apply-rulesets): use Tier 1 reusable check names (#94)
Closes #91.
`scripts/apply-rulesets.sh` previously only knew about claude.yml,
sonarcloud.yml, codeql.yml, and ci.yml when building required-status-
checks lists. For claude.yml it composed `<workflow-display-name> /
claude` (e.g. "Claude Code / claude") — but GitHub actually publishes
reusable check names as `<caller-job-id> / <reusable-job-id-or-name>`,
which is "claude-code / claude". The old format never matched real
checks, so the rule was effectively never satisfied — which is why
markets and bmad-bgreat-suite deadlocked at merge time after #87.
Fix:
- Drop the legacy claude.yml block.
- Hardcode the new check names for the centralized workflows that ARE
safe to require: `agent-shield / AgentShield` and
`dependency-audit / Detect ecosystems`.
- Document why claude-code / claude, the per-ecosystem dependency-audit
jobs, dependabot-{automerge,rebase}, and feature-ideation are NOT
required: claude-code's app-token validation deadlocks workflow PRs;
per-ecosystem jobs report SKIPPED when their lockfile is absent and
required-but-skipped fails the gate; the dependabot/feature-ideation
jobs run on triggers other than regular PRs.
After this lands, run `apply-rulesets.sh` against every petry-projects
repo to converge on the new names.
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(workflows): address CodeRabbit suggestions deferred from #87 (#93)
* fix(workflows): address CodeRabbit suggestions deferred from #87
Closes #90.
1) agent-shield-reusable.yml — SKILL.md frontmatter regex now allows
optional leading whitespace (`^[[:space:]]*name:` /
`^[[:space:]]*description:`), so indented YAML keys (e.g. under a
`metadata:` parent) are recognised as present. Previously the strict
column-zero anchor missed them.
2) dependabot-rebase-reusable.yml — fix vacuous-truth merge gate.
`[].statusCheckRollup[]? | ... | all(...)` returns true on an empty
list (logical convention), which made a PR with no status checks
appear "all green" and trigger an auto-merge. New gate also requires
at least one COMPLETED check before merging, in addition to the
existing all-pass and zero-pending requirements. Also collapses the
three `gh pr view` calls into one round-trip via a shared $ROLLUP.
3) dependency-audit-reusable.yml — cargo audit no longer re-runs per
workspace member. The new logic finds workspace roots (Cargo.toml
files containing `[workspace]`) and audits them once each, then
audits standalone crates whose dir is not under any workspace root.
For a workspace with N members, that's 1 audit instead of N+1.
4) dependency-audit-reusable.yml — pip-audit now audits both
pyproject.toml AND requirements.txt when both exist in the same
directory (some projects ship pyproject for tooling and
requirements.txt for pinned runtime deps). Previously the elif
branch made requirements.txt unreachable.
All four were originally raised by CodeRabbit on petry-projects/.github#87
and intentionally deferred to keep that PR no-behavior-change.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(workflows): single space before cron comment in feature-ideation stub
The canonical stub had three spaces aligning the comment after the cron
expression. Repos that run prettier in their lint chain (e.g.
google-app-scripts) hit a `prettier --check` failure on every fresh
adoption — see petry-projects/google-app-scripts#151. Bringing the
template in line with prettier defaults so future adopters don't drift.
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(compliance-audit): detect stale required-check names in rulesets (#96)
* feat(compliance-audit): detect stale required-check names in rulesets
Closes #92.
Adds `check_centralized_check_names` to compliance-audit.sh. For every
non-`.github` repo in the org, fetches the active required-status-check
contexts from BOTH the new ruleset system (gh api .../rules/branches/main)
and classic branch protection (gh api .../branches/main/protection),
then flags two distinct problems:
1. Stale pre-centralization names (`claude`, `claude-issue`,
`AgentShield`, `Detect ecosystems`) — emits
`stale-required-check-<old-name>` with the canonical replacement in
the message.
2. `claude-code / claude` listed as required — emits
`required-claude-code-check-broken` because that check is
structurally incompatible with workflow-modifying PRs:
claude-code-action's GitHub App refuses to mint a token whenever
the PR diff includes a workflow file, so the check fails on every
workflow PR and the merge gate becomes a deadlock. This was the
exact root cause of the markets/bmad-bgreat-suite stuck PRs from
#87 sweep.
Tested locally with stub fixtures for all four cases (stale claude,
stale AgentShield, broken claude-code/claude, clean ruleset).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(compliance-audit): never recommend renaming claude → claude-code/claude
CodeRabbit on #96: the rename map said `claude` → `claude-code / claude`,
but a separate check correctly flags `claude-code / claude` as a forbidden
required check (it deadlocks workflow PRs). Following the rename
recommendation would have moved a repo from one broken state to another.
Fix: split the logic into two distinct sets.
1. `renames[]` — only contains checks where the new name is safe to
require (AgentShield, Detect ecosystems). These get a "rename to X"
message.
2. `forbidden_required[]` — contains every claude variant (legacy and
post-centralization). Any of them as a required check emits a
stable per-name finding telling the maintainer to REMOVE it from
required checks, not rename it.
The Claude review check still runs and surfaces feedback on normal PRs
without being a merge gate; only the required-status-checks pin is
removed.
Each forbidden_required entry maps to a stable check id so findings
don't churn across audit runs from slashes in canonical names.
Verified locally with stub fixtures for all five cases:
stale `claude` -> required-claude-check-broken
stale `claude-issue` -> required-claude-issue-check-broken
`claude-code / claude` -> required-claude-code-check-broken
stale `AgentShield` -> stale-required-check-AgentShield (rename)
clean ruleset -> 0 findings
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(compliance-audit): suffix-match forbidden Claude required checks
Address remaining CodeRabbit feedback on #96: the previous exact-match
list (`claude-code / claude`, `claude-code / claude-issue`) only caught
the canonical caller-job-id. Repos with a custo…
don-petry
added a commit
that referenced
this pull request
Jun 11, 2026
* Add multi-agent isolation strategy using git worktrees (#2)
* Add multi-agent isolation strategy using git worktrees
Define org-wide rules for running multiple AI agents concurrently
without conflicts: one worktree per agent, no overlapping file
ownership, tool-specific setup for Claude Code/Copilot/Codex/Cursor,
naming conventions, cleanup, and a pre-launch coordination checklist.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Address review comments: overlap detection, markdown fixes, branch clarity
- Add "Detecting File Overlap" subsection per CodeRabbit suggestion
- Reword origin/HEAD to reference default branch explicitly (Copilot)
- Qualify "name flows into branch" for manual worktrees (Copilot)
- Quote isolation: "worktree" consistently in YAML example (Copilot)
- Add git branch -D fallback for squash/rebase merges (Copilot)
- Fix markdown blank lines and language specifiers (CodeRabbit)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: Dependabot security-only update standards (#9)
Adds org-wide Dependabot security-only update standards: policy doc, dependabot.yml templates for all ecosystems, auto-merge workflow, and dependency-audit CI workflow.
* docs: add GitHub repository settings standards (#10)
* docs: add GitHub repository settings standards
Document the standard org and repo configurations including branch
protection, rulesets, merge settings, required integrations, labels,
and new-repo onboarding checklist.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- Improve merge settings rationale to clarify admin override purpose inline
- Replace vague protect-branches description with specific ruleset details
from the actual GitHub API configuration
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: correct settings values from API audit data
- Fix org default permission to 'write' (not 'read')
- Fix has_projects to 'true' (currently enabled on all repos)
- Fix has_wiki to 'true' (enabled on most repos)
- Fix squash commit message to COMMIT_MESSAGES (not PR body)
- Fix broodly stack label (TypeScript + Go, not Rust)
- Add installed GitHub Apps with dates from API audit
- Add compliance status table showing per-repo deviations
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: apply review feedback — rulesets, settings, and secrets
- Change wiki to disabled, discussions to enabled
- Change squash commit title to PR_TITLE
- Replace classic branch protection with rulesets-first approach
- Strengthen pr-quality ruleset: dismiss stale reviews, require last
push approval, require code owner review
- Abstract required checks into conditional code-quality ruleset
(removes repo-specific names, uses condition-based check mapping)
- Fix GitHub App secrets to reflect org-level inheritance
- Update new-repo checklist and compliance status accordingly
- Add migration note for classic → ruleset transition
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: require 2FA and align label onboarding checklist
- Set two-factor requirement to Required (was Disabled)
- Reference full standard label set in onboarding checklist
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: tighten org permission to read, make labels MUST
- Change default repo permission to 'read' (least privilege)
- Change labels from SHOULD to MUST for consistency with onboarding checklist
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: make all quality checks required on all repos
All five check categories (SonarCloud, CodeQL, Claude Code, CI, Coverage)
are now universally required. Ecosystem-specific configuration varies by
what languages/tools the repo contains — if an ecosystem is present, it
must be configured in the relevant checks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: remove ci-standards.md (belongs in PR #11, not this branch)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: consolidate secrets documentation, add CLAUDE_CODE_OAUTH_TOKEN
- Split secrets into org-level and repo-level sections
- Add CLAUDE_CODE_OAUTH_TOKEN to org secrets table
- Add SONAR_TOKEN and GCP secrets to repo-level table
- Align onboarding note with secrets sections
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: CodeQL rule-based, org-level secrets, remove repo-level section
- CodeQL definition now focuses on rule: all ecosystems must be configured
- Move SONAR_TOKEN to org-level secrets
- Remove repo-level secrets section — all standard CI secrets are org-level
- Simplify onboarding note
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Fix typo in repo-specific secrets note
Correct typo in the note about repo-specific secrets.
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: add CI/CD standards and workflow patterns (#11)
* docs: add CI/CD standards and workflow patterns
Document standard CI configurations across all repos including required
workflows, tech stack patterns, action pinning policy, permissions,
secrets inventory, and a gap analysis of current repo coverage.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address Copilot review feedback on CI standards
- Clarify that only Dependabot workflows have reusable templates;
CI/CodeQL/SonarCloud/Claude are documented as copy-and-adapt patterns
- Fix top-level permissions in CI example to use {} per permissions policy
- Add branches filter to SonarCloud pull_request trigger for consistency
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address CodeRabbit SHA pinning and Go version feedback
- Pin SHAs in SonarCloud, Claude Code, and auto-fix workflow examples
- Clarify that tech stack patterns use tags for illustration only
- Update Go version example to use 'stable' with note about pinning
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: clarify single-job workflow permissions policy
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: refine CI gap analysis and add version inconsistencies
- Mark markets Dependabot config as partial (missing npm ecosystem)
- Mark google-app-scripts auto-merge as older pattern
- Flag non-standard npm limit:10 on google-app-scripts
- Add CodeQL for TalkTerm to missing list
- Add version inconsistency section (SonarCloud, CodeQL, Claude Code)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: align CI standards with universal check requirements
All five quality checks (SonarCloud, CodeQL, Claude, CI, Coverage) are
required on every repo. Updated status table with Coverage column,
prioritized gap remediation list, and version alignment targets.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: CodeQL Friday noon EST, rule-based config, org-level secrets
- Change CodeQL schedule to Friday 12:00 PM EST (cron: 0 17 * * 5)
- Replace repo-specific language matrix with rule: all ecosystems
present in repo must be configured as CodeQL languages
- Move SONAR_TOKEN to org-level secrets
- Replace "Secrets by Repository" with "Organization-Level Secrets
for Standard CI" — all standard secrets are org-inherited
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add weekly compliance audit workflow (#12)
* feat: add weekly compliance audit workflow
Adds automated weekly audit that checks all petry-projects repos
against org standards (CI, Dependabot, settings, labels, rulesets)
and creates/updates/closes issues for each finding.
- Deterministic shell script for reliable, repeatable checks
- Claude Code Action job for standards improvement research
- Issues auto-assigned to Claude for remediation
- Summary notification for org owners
- Idempotent: updates existing issues, closes resolved ones
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address review findings in compliance audit
- Add retry error logging to gh_api helper
- Fix pnpm detection when package.json absent
- Fix empty ecosystem array display
- Replace heredoc with direct assignment for issue body
- Add jq error safety in close_resolved_issues
- Increase repo list limit to 500 with empty check
- Use process substitution instead of pipe subshell
- Add concurrency group and timeout to workflow
- Add timeout-minutes to audit job
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address CodeRabbit and Copilot review comments
- Handle single-job workflows with job-level permissions
- Add has_issues to required settings checks
- Soften CODEOWNERS wording (SHOULD not MUST per standards)
- Remove misleading issues:write from audit job permissions
- Rename repo_count to repos_with_findings for clarity
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: do not auto-close previous summary issues
Per feedback, only humans should close summary/notification
issues. Changed Claude prompt to explicitly not close them.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: run compliance audit every Friday at noon UTC
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: audit .github repo and add CLAUDE.md/AGENTS.md checks (#14)
* feat: audit .github repo and add CLAUDE.md/AGENTS.md checks
- Remove .github repo exclusion — it now gets audited like all
other repos (settings, labels, rulesets, workflows, etc.)
- Add check_claude_md: every repo must have a CLAUDE.md that
references AGENTS.md
- Add check_agents_md: every repo must have an AGENTS.md that
references the org-level .github/AGENTS.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address review comments on CLAUDE.md/AGENTS.md checks
- Point standard_ref to AGENTS.md (the actual source of truth)
- Upgrade missing-ref severities from warning to error (required)
- Tighten AGENTS.md org-ref grep to match .github/AGENTS.md only
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add full CI pipeline for .github repo (#15)
* feat: add full CI pipeline for .github repo
Adds all 6 required workflows per ci-standards.md:
- ci.yml: markdownlint, yamllint, actionlint, shellcheck, AgentShield
- codeql.yml: actions language analysis
- sonarcloud.yml: code quality scanning
- claude.yml: AI-assisted PR review
- dependabot-automerge.yml: auto-merge eligible PRs
- dependency-audit.yml: vulnerability scanning
Also adds:
- .github/dependabot.yml (github-actions ecosystem)
- .markdownlint-cli2.yaml (config for standards docs)
- sonar-project.properties
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: correct markdownlint SHA, use npx for AgentShield, remove duplicate CodeQL
- Fix markdownlint-cli2-action SHA to v9.0.0 (v20 doesn't exist)
- Use npx ecc-agentshield CLI instead of broken GitHub Action
- Remove codeql.yml — repo already has default CodeQL setup enabled
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: relax markdownlint rules, pin actionlint download
- Disable line-length, duplicate-heading, blanks-around-lists,
bare-urls rules — existing docs have many violations; fix
incrementally as separate PRs
- Replace curl|bash with pinned version download for actionlint
(fixes SonarCloud security hotspot)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: break long line in org-scorecard.yml for yamllint
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: make actionlint fail on errors, guard shellcheck glob
- Remove || true from actionlint on our own workflows (fail properly)
- Keep || true only for template workflows (expected placeholder issues)
- Guard shellcheck glob against missing scripts/ directory
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: ignore shellcheck style hints in actionlint
SC2129 (use grouped redirects) is a style suggestion, not a bug.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add SHA256 checksum verification for curl downloads
Addresses SonarCloud security hotspots by verifying checksums
on all binary downloads:
- actionlint 1.7.7 in ci.yml
- scorecard 5.1.1 in org-scorecard.yml
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: enforce MD041, add standards references to all YAML files
- Enable MD041 (first line heading) — all markdown files already comply
- Add header comment to each workflow YAML with purpose and link to
the org standard definition that governs it
- Add header comment to dependabot.yml
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: resolve all markdown lint violations and enable enforced rules (#24)
* fix: resolve all markdown lint violations, enable enforced rules
Enable previously-disabled markdownlint rules:
- MD013 (line length 200, excluding tables/code blocks)
- MD024 (duplicate headings, siblings only)
- MD032 (blanks around lists)
- MD034 (no bare URLs)
Fix 54 violations across 3 files:
- AGENTS.md: wrap 44 long lines, add 6 blank lines around lists,
wrap 3 bare URLs in angle brackets
- standards/ci-standards.md: 1 blank line around list
- standards/dependabot-policy.md: 1 blank line around list
Also add .claude/ and node_modules/ to markdownlint ignore list.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: indent list continuations, correct issue trigger security note
- Fix 7 locations in AGENTS.md where wrapped list items had
unindented continuation lines (breaks Markdown rendering)
- Fix ci-standards.md issue trigger security note: triage role
can also label, and compliance audit uses its own label
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add checkout step to Claude Code standard configuration (#26)
The claude-code-action requires the repository to be checked out before
it can run git operations for issue-triggered branch setup. Without
actions/checkout, issue-triggered runs fail with:
fatal: not a git repository
All org repos have already been updated with this fix.
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add AgentShield CI standard and agent-shield.yml workflow template (#25)
Adds AgentShield as the 7th required CI workflow with org standard and reusable template.
* fix: add agent-shield.yml to required workflows in compliance audit
The audit script's REQUIRED_WORKFLOWS array was not updated when
AgentShield was added as the 7th required workflow. Repos missing
agent-shield.yml will now be flagged as compliance findings.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add claude label to compliance audit issues
Issues need the claude label so the Claude Code workflow picks them
up for auto-remediation. The script was only applying compliance-audit.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: extend compliance audit with CI/automation health survey (#13)
Replaces compliance-audit.yml with compliance-audit-and-improvement.yml,
extending the existing weekly compliance audit with runtime health
telemetry and a forward-looking best practices research phase.
Architecture (3 jobs):
Job 1 — Compliance Audit (unchanged)
Deterministic shell script checking all repos against org standards.
Creates/updates/closes compliance issues per finding.
Job 2 — Health Survey (new)
Collects runtime telemetry across all org repos:
CI run failures (7d), security alerts (Dependabot/secret/code scanning),
PR staleness, branch protection status, workflow inventory.
Job 3 — Analyze & Create Issues (Claude, rewritten)
Six-phase analysis combining both datasets:
1. Load compliance + health data and org standards
2. Correlate and categorize findings by severity
3. Research root causes and automation opportunities
4. Evaluate against industry best practices and emerging capabilities
(agentic guardrails, supply chain integrity, reliability SLOs, etc.)
— outputs only standards proposals, not implementation issues
5. Create issues: repo-specific go in that repo, org-wide in .github,
every issue gets the claude label for agent pickup
6. Summary report to step summary
Issue rules:
- Every issue must have the `claude` label
- Repo-specific issues are created in that repo
- Org-wide and standards proposals go in .github
- Deduplicates against existing open issues
- Max 3 standards-improvement + 3 best-practices proposals per run
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: handle gh api 403/404 responses in health survey
The gh api command with --jq outputs error JSON to stdout on 403/404
before the fallback runs, producing concatenated invalid output like
'{"message":"..."}0'. This broke integer comparisons and jq parsing.
Fix: use if/else on exit code for all gh api calls (security alerts,
branch protection, workflow inventory) instead of `|| echo` fallbacks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add dependabot-rebase workflow standard (#52)
* feat: add dependabot-rebase workflow to unblock auto-merge serialization
When strict status checks require branches to be up-to-date, merging one
Dependabot PR makes others fall behind. Dependabot only rebases on its
weekly schedule, leaving auto-merge stalled. This workflow triggers on
push to main and comments @dependabot rebase on behind PRs, preserving
Dependabot's commit signature for fetch-metadata verification.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use API merge method and add direct merge step
Based on testing in google-app-scripts:
- @dependabot rebase only works from human users, not bots
- API rebase breaks Dependabot ownership; API merge preserves it
- GitHub auto-merge (--auto) fails due to BLOCKED mergeable_state
- Add direct merge step and skip-commit-verification to automerge
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add concurrency group to prevent overlapping runs
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use correct claude-code-action input names
The action accepts `prompt` (not `direct_prompt`) and `claude_args`
(not `timeout_minutes`/`allowed_tools`). The previous inputs were
silently ignored, causing Claude to never run.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore(deps): Bump actions/download-artifact from 4.3.0 to 8.0.1 (#16)
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.3.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/d3f86a106a0bac45b974a628896c90dbdf5c8093...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c)
---
updated-dependencies:
- dependency-name: actions/download-artifact
dependency-version: 8.0.1
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump pnpm/action-setup from 4.1.0 to 5.0.0 (#17)
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 4.1.0 to 5.0.0.
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](https://github.com/pnpm/action-setup/compare/a7487c7e89a18df4991f7f222e4898a00d66ddda...fc06bc1257f339d1d5d8b3a19a8cae5388b55320)
---
updated-dependencies:
- dependency-name: pnpm/action-setup
dependency-version: 5.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#18)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/ea165f8d65b6e75b540449e92b4886f43607fa02...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f)
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: 7.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump actions/setup-go from 5.5.0 to 6.4.0 (#20)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/d35c59abb061a4a6fb18e82ac0862c26744d6ab5...4a3601121dd01d1626a1e23e37211e3254c1c06c)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-version: 6.4.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump actions/checkout from 4.2.2 to 6.0.2 (#21)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4.2.2...de0fac2e4500dabe0009e67214ff5f5447ce83dd)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: 6.0.2
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump actions/setup-node from 4.4.0 to 6.3.0 (#23)
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.4.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v4.4.0...53b83947a5a98c8d113130e565377fae1a50d02f)
---
updated-dependencies:
- dependency-name: actions/setup-node
dependency-version: 6.3.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump anthropics/claude-code-action from 1.0.83 to 1.0.89 (#22)
Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.89.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](https://github.com/anthropics/claude-code-action/compare/v1.0.83...6e2bd52842c65e914eba5c8badd17560bd26b5de)
---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
dependency-version: 1.0.89
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix: remove claude_args causing exit code 1
The --allowedTools and --timeout flags passed via claude_args caused
Claude Code to exit immediately with code 1. Removing claude_args
to use defaults — the job-level timeout (45min) and permissions
(contents:read, issues:write) provide sufficient guardrails.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: split Claude workflow into interactive + issue automation jobs (#54)
* feat: split Claude workflow into interactive + issue automation jobs
The single-job Claude workflow created branches for issue-labeled triggers
but never opened PRs — requiring a human to click through. Split into two
jobs so issue-triggered work runs in automation mode with a prompt that
drives the full lifecycle: implement, create PR, self-review, resolve
comments, check CI, and tag the maintainer.
Updates both the workflow and the ci-standards.md standard definition.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use CODEOWNERS for maintainer tagging instead of hardcoded username
The claude-issue prompt now reads CODEOWNERS at runtime to determine
who to tag when a PR is ready. This removes the need for per-repo
customization of the prompt.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: require GitHub Discussions on all repos (#53)
* feat: require GitHub Discussions on all repos with standard categories
Elevate Discussions from optional community feature to required org standard.
Add Discussions Configuration section defining required categories (Ideas,
General) and automated ideation workflow integration. Promote has_discussions
audit check from warning to error via REQUIRED_SETTINGS_BOOL.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: require feature-ideation workflow for BMAD Method repos
Add bmad-method ecosystem detection (looks for _bmad/ directory) and
conditionally require feature-ideation.yml workflow. Add CI Standards
section 8 documenting the conditional workflow. Update ecosystem table
in github-settings.md to include bmad-method.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address review comments — severity levels and requirement language
- Extend REQUIRED_SETTINGS_BOOL tuple format to include per-entry severity
(key:expected:severity:detail) instead of hardcoding all as warning
- Set has_discussions and has_issues to error severity; others remain warning
- Change feature-ideation.yml finding from warning to error for BMAD repos
- Change SHOULD to MUST for BMAD ideation workflow requirement in standards
Addresses CodeRabbit and Copilot review comments on PR #53.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: grant claude-issue job tools to create PRs and check CI (#55)
The claude-issue job had no access to `gh` CLI or file editing tools,
so Claude could implement and push but never actually open a PR.
Added --allowedTools for gh pr create/view, gh run view/watch, cat,
Edit, and Write so the automation prompt can execute end-to-end.
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add apply-repo-settings.sh to remediate compliance findings (#56)
Adds `scripts/apply-repo-settings.sh`, a companion to `compliance-audit.sh`
that applies all standard repository settings defined in
`standards/github-settings.md#repository-settings--standard-defaults`.
Addresses the `allow_auto_merge` compliance finding (issue #42) and any
other boolean/merge-config drift across org repos.
Usage (after merging, run with an admin token):
GH_TOKEN=<admin-token> ./scripts/apply-repo-settings.sh .github
GH_TOKEN=<admin-token> ./scripts/apply-repo-settings.sh --all
Closes #42
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: add concurrency guard and comment tools to claude-issue job
- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools so Claude can
post review replies, resolve threads, and tag code owners
- Remove Bash(cat:*) since the Read tool already covers file reads
Addresses review feedback from CodeRabbit and Copilot across org PRs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add GH_TOKEN preflight check to compliance-audit.sh (#60)
Adds an early-exit preflight check at the top of main() that:
1. Fails fast with a clear error if GH_TOKEN is unset
2. Runs gh auth status to verify the token is valid before proceeding
Previously, auth failures manifested deep in the script as cryptic
gh CLI errors rather than a clear authentication failure.
Note: the step-level GH_TOKEN env var in the workflow also needs
to be added manually (cannot be done here due to workflow permissions).
See issue #30 for the required one-line workflow change.
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: replace unpinned dtolnay/rust-toolchain action with rustup in dependency-audit.yml (#72)
fix: replace unpinned dtolnay/rust-toolchain action with rustup
Replaces `uses: dtolnay/rust-toolchain@stable` (unpinned action) with a
direct `rustup toolchain install stable --profile minimal` run step.
The action was used with no parameters so this is functionally identical.
Using a run step eliminates the action-pinning compliance finding since
`run:` steps are not subject to the SHA pinning requirement.
Closes #41
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: add claude.yml template + checkout audit check (#63)
fix: add claude.yml template + checkout audit check (#33)
Root cause: the recent org-wide PRs added checkout only to the
claude-issue job, leaving the claude job (PR reviews / @claude
mentions) without one. claude-code-action reads CLAUDE.md and
AGENTS.md from the working tree; without checkout it errors on
every PR-triggered run.
Changes:
- standards/workflows/claude.yml: canonical copy-paste template
with checkout in both jobs, matching the other templates in
standards/workflows/. Both checkout steps are annotated as
REQUIRED to prevent silent removal.
- scripts/compliance-audit.sh: new check_claude_workflow_checkout()
detects any repo whose claude or claude-issue job is missing
checkout and raises an error finding. Wired into the main audit
loop so weekly scans surface affected repos automatically.
- standards/ci-standards.md: added a visible callout that both jobs
need checkout and a pointer to the new template file.
Closes #33
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: add has_discussions and has_issues to apply-repo-settings.sh (#59)
Extends the remediation script to include has_discussions and has_issues
settings from standards/github-settings.md#repository-settings--standard-defaults.
Previously the script only covered merge settings, leaving discussions and
issue-tracking compliance gaps unaddressed.
Closes #58
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: auto-create required labels during compliance audit (#67)
fix: auto-create required labels during compliance audit and settings apply
Adds ensure_required_labels() to compliance-audit.sh so all 6 required
labels (security, dependencies, scorecard, bug, enhancement, documentation)
are idempotently created during each audit run, eliminating the
missing-label-* compliance finding category.
Also extends apply-repo-settings.sh with apply_labels() so the remediation
script covers labels alongside repository settings.
Closes #46
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* feat: add apply-rulesets.sh to create code-quality ruleset (#71)
* feat: add apply-rulesets.sh to create code-quality ruleset
Adds scripts/apply-rulesets.sh — an IaC script that creates or updates
the code-quality repository ruleset (required status checks) for any
petry-projects repo via the GitHub API.
The script:
- Auto-detects which CI workflows are present and derives the correct
GitHub Actions check context strings (<workflow-name> / <job-name>)
- Supports --dry-run to preview without applying
- Creates or updates the ruleset idempotently (POST or PUT)
- Supports --all to run across every non-archived org repo
Closes #49
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: remove dead workflow_job_names function; guard empty checks array
- Remove unused workflow_job_names() helper — dead code never called
- Guard printf against empty array with set -u on older bash versions
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: restore executable bit on apply-rulesets.sh
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: address Dependabot major version updates and markdownlint v23 compatibility (#68)
- Disable new markdownlint rules enabled by default in v23 (MD049, MD050,
MD054, MD055, MD056, MD058) to prevent CI failures when Dependabot PR #19
(markdownlint-cli2-action v9→v23) is merged
- Sync standards/workflows/dependency-audit.yml to action versions currently
in the live workflow: actions/checkout v6.0.2, actions/setup-node v6.3.0,
and updated pnpm/action-setup and actions/setup-go patch SHAs
Note: .github/workflows/ files require manual edits (no workflow write permission):
- dependabot-automerge.yml: add skip-commit-verification: true to fix PR #22
- dependency-audit.yml: correct 6 version comments (SHA updated but comment still says v4/v5)
Closes #36
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: add app secrets guard and skip-commit-verification to dependabot workflows (#69)
* fix: add app secrets guard and skip-commit-verification to dependabot workflows
- Add `Check app secrets` step to all three dependabot workflow files so
missing APP_ID/APP_PRIVATE_KEY secrets produce a clear, actionable error
instead of the cryptic [@octokit/auth-app] appId option is required message
- Add `skip-commit-verification: true` to dependabot/fetch-metadata in
.github/workflows/dependabot-automerge.yml so it accepts the GitHub-authored
merge commits produced by the dependabot-rebase workflow
Closes #29
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: shorten error message lines to satisfy 200-char yamllint rule
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* feat: add org profile README (#61)
Creates profile/README.md with org overview, project table, standards
summary, and contribution guidelines.
Closes #37
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: update Node.js runtime examples from 20 to 24 in CI standards docs (#62)
* fix: update Node.js runtime from 20 to 24 across CI config and docs
Node.js 20 runtime is deprecated; GitHub will force Node.js 24 on
June 2 2026 and remove Node.js 20 entirely on September 16 2026.
- ci.yml: pin agent-security job to node-version '24'
- standards/ci-standards.md: update npm and pnpm pattern examples
Closes #34
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* revert: restore ci.yml to previous state (workflow permission not available)
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* docs: update compliance status and add bash 4+ requirement (#73)
* docs: update compliance status and add bash 4+ requirement
- Update Current Compliance Status table: all repo settings are now
fully compliant after bulk remediation; document remaining ruleset gaps
- Add Bash 4+ requirement note to apply-repo-settings.sh (uses
associative arrays, incompatible with macOS default Bash 3.2)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add bash 4+ runtime check to apply-repo-settings.sh
Addresses Copilot review: fail fast with actionable message instead of
cryptic declare -A error on macOS Bash 3.2.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore(deps): Bump DavidAnson/markdownlint-cli2-action from 9.0.0 to 23.0.0 (#19)
chore(deps): Bump DavidAnson/markdownlint-cli2-action
Bumps [DavidAnson/markdownlint-cli2-action](https://github.com/davidanson/markdownlint-cli2-action) from 9.0.0 to 23.0.0.
- [Release notes](https://github.com/davidanson/markdownlint-cli2-action/releases)
- [Commits](https://github.com/davidanson/markdownlint-cli2-action/compare/5b7c9f74fec47e6b15667b2cc23c63dff11e449e...ce4853d43830c74c1753b39f3cf40f71c2031eb9)
---
updated-dependencies:
- dependency-name: DavidAnson/markdownlint-cli2-action
dependency-version: 23.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feat: prevent duplicate agent PRs via in-progress labels and umbrella issues (#76)
* feat: prevent duplicate agent PRs via in-progress labels and umbrella issues
- Add `in-progress` label (#fbca04) to standard label set in github-settings.md
and apply-repo-settings.sh so all repos have it available for agents to claim issues
- Add `in-progress` to compliance-audit.sh REQUIRED_LABELS and ensure_required_labels()
so the audit enforces its presence across repos
- Remove `--label "claude"` from individual compliance finding issues; individual issues
now only get the `compliance-audit` label so multiple agents don't race on them
- Add create_umbrella_issue() to compliance-audit.sh: after each audit run, one umbrella
issue is created in petry-projects/.github grouping all findings by remediation category.
Only the umbrella gets the `claude` label, triggering one coordinated agent run instead
of N competing agents each fixing the same script/file
- Add "Multi-Agent Issue Coordination" section to AGENTS.md with:
- Claim-before-work protocol (check in-progress label, check for open PRs, claim before
writing code, release claim on abandonment)
- File-conflict check (search open PRs for the target file before creating it)
- Compliance umbrella issue guidance (work from umbrella, fix whole category per PR)
Closes #75
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: declare body separately in create_umbrella_issue to satisfy ShellCheck SC2155
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* feat: reusable Claude Code workflow with workflows write permission (#77)
feat: extract reusable Claude Code workflow with GH_PAT_WORKFLOWS support
Centralizes the Claude Code prompt and config into a reusable workflow
(claude-code-reusable.yml) so repo-level claude.yml files are thin callers.
Adds github_token input using GH_PAT_WORKFLOWS secret to grant workflows
write permission, unblocking Claude from pushing .github/workflows/ changes.
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add pr-quality ruleset support to apply-rulesets.sh
Adds build_pr_quality_ruleset_json() function and updates apply_rulesets()
to create/update the pr-quality ruleset on each repo, per the standard
defined in standards/github-settings.md.
Ruleset enforces:
- 1 required approving review
- Dismiss stale reviews on push
- Require code owner review
- Require last push approval
- All review threads resolved before merge
- Linear history (squash-only merges)
- No force pushes, no branch deletion
Bypass actors: OrganizationAdmin (always), dependabot-automerge-petry (pull_request).
Also removes stale TODO note from standards/github-settings.md about
pr-quality support being missing from the script.
Closes #48
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* feat: add CODEOWNERS file for code owner review enforcement
Adds .github/CODEOWNERS assigning @don-petry as default owner for all files.
Satisfies the pr-quality ruleset requirement for code owner reviews (the
"Require code owner review" setting has no effect without a CODEOWNERS file).
Closes #50
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* Add Feature Ideation workflow as standard for BMAD-enabled repos (#81)
* feat: add Feature Ideation workflow as a standard for BMAD-enabled repos
Promotes the BMAD Analyst (Mary) feature ideation workflow piloted in
petry-projects/TalkTerm to an org-wide standard for any repo with BMAD
Method installed.
Adds:
- standards/workflows/feature-ideation.yml — the canonical template,
generalised from TalkTerm. Customisation surface is a single
PROJECT_CONTEXT env var that describes the project and its market.
- standards/ci-standards.md §8 rewrite — documents the multi-skill
ideation pipeline (Market Research → Brainstorming → Party Mode →
Adversarial), the Opus 4.6 model requirement, the github_token
permissions gotcha, and the show_full_output secrets hazard.
- standards/agent-standards.md — adds a "BMAD Method Workflows"
section linking the standard from the agent ecosystem docs.
The four critical gotchas baked into the template were each discovered
empirically during the TalkTerm pilot and would silently regress without
the inline comments. Most importantly: the action's auto-generated
claude[bot] App token lacks discussions:write, so the workflow MUST
pass github_token: ${{ secrets.GITHUB_TOKEN }} explicitly or every
Discussion mutation fails silently while the run reports success.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: split feature-ideation into reusable workflow + thin caller stub
Avoids ~600 lines of prompt duplication across every BMAD-enabled repo and
makes the multi-skill ideation pipeline tunable in one place — changes here
propagate to every adopter on next scheduled run.
- .github/workflows/feature-ideation-reusable.yml — the actual reusable
workflow (workflow_call). Contains both jobs (signal collection +
analyst), the full Phase 1-8 prompt, and the four critical gotchas
(Opus 4.6 model, github_token override, no show_full_output, structural
Phase 2-5 sequence) hard-coded so they cannot regress.
- standards/workflows/feature-ideation.yml — replaced the 600-line copy
with a ~60-line caller stub that only defines the schedule, the
workflow_dispatch inputs, and a single required parameter:
project_context.
- standards/ci-standards.md §8 — documents the reusable + caller stub
architecture, the inputs/secrets contract, and updated adoption steps.
Reference implementation pointer updated to note that TalkTerm is now
also a thin caller stub.
Inputs exposed by the reusable workflow:
- project_context (required) — project description for Mary
- focus_area (default '') — typically wired to workflow_dispatch
- research_depth (default 'standard')
- model (default 'claude-opus-4-6') — escape hatch only
- timeout_minutes (default 60)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(lint): add shellcheck disable for GraphQL variable false positive
The gh api graphql queries use $repo / $owner / $categoryId as GraphQL
variables (not shell expansions), which must remain in single quotes.
shellcheck SC2016 fires anyway — disable it for this script.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(lint): use quoted heredocs for GraphQL queries to satisfy SC2016
actionlint runs shellcheck on the entire run script as one unit and ignores
inline disable directives. Rewriting the gh api graphql calls to use
cat <<'GRAPHQL' heredocs makes the GraphQL variable references ($repo,
$owner, $categoryId) shell-inert without depending on single-quoted
string literals — eliminating the SC2016 false positive.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: expand prompt variables via Actions expressions, add placeholder guard
CodeRabbit caught a critical latent bug inherited from the original TalkTerm
prompt: shell-style $VAR and $(date) syntax inside the action's `prompt:`
input is NOT expanded — the action receives literal text. This silently
broke variable substitution in every prior run, but mattered most for the
new reusable workflow because PROJECT_CONTEXT is now load-bearing.
Changes:
- Replace $PROJECT_CONTEXT, $FOCUS_AREA, $RESEARCH_DEPTH, and $(date ...)
with ${{ inputs.* }} and ${{ github.run_started_at }} expressions, which
ARE evaluated by GitHub before passing the prompt to the action.
- Add a "Validate project_context is customised" pre-step that fails fast
if an adopter copied the caller stub without replacing the TODO
placeholder. Prevents wasted Opus runs producing generic Discussions.
- scripts/compliance-audit.sh: detect BMAD repos via `_bmad-output/` as
well as `_bmad/`, matching the broader detection rule documented in
ci-standards.md §8 (TalkTerm only has `_bmad-output/`).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(lint): drop github.run_started_at (not in actionlint context schema)
The agent can read scan_date from signals.json instead — added a hint
in the Environment section.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(caller): grant cascading permissions on the calling job
CodeRabbit caught: the caller stub had `permissions: {}` at workflow
level and no permissions block on the calling job. Reusable workflows
inherit permissions from the calling job — without an explicit grant,
the reusable workflow's `discussions: write` declaration would have
nothing to apply, and Discussion mutations would fail with FORBIDDEN
just like the original bug we fixed in TalkTerm.
The reusable workflow's job-level permissions are documentation of
what it needs; the caller is what actually grants them.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use claude_args --model interface; instruct re-query before create
Two more fixes from CodeRabbit review:
1. Model selection via claude_args (the documented v1 interface)
instead of ANTHROPIC_MODEL env var. claude_args takes precedence over
the env var per the action's docs, so depending on the env var was
relying on undocumented behavior. The pinned v1.0.89 happens to honor
ANTHROPIC_MODEL too (verified in TalkTerm run #3 logs), but the
documented path is more robust against future action upgrades.
2. Re-query existing Ideas discussions before each create. The signals
snapshot only fetches the first page of discussions (GraphQL caps
connections at 100 per page) and only covers the Ideas category, not
the General fallback. Mary now does a fresh query before each create
to avoid duplicates in repos with >100 idea threads or where Ideas
doesn't exist.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: pass GH_PAT_WORKFLOWS to actions/checkout so git push uses workflow-scoped token (#82)
* fix: auto-create missing required labels during compliance audit (#79)
Replace passive `missing-label-*` findings with active label creation.
`check_labels()` now calls `gh label create --force` for any required
label absent from a repo. A compliance finding is only filed if creation
fails (insufficient permissions) or when running in DRY_RUN mode.
Resolves the recurring `missing-label-scorecard` finding (#47) by
creating the label on the next audit run rather than just reporting it.
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: encode compliance-fix learnings into standards and Claude prompt (#86)
* fix(claude-action): grant administration:write, allow gh api/label create, add standards-conformance prompt rules
* docs(ci-standards): add 'Using Templates' section, SHA lookup procedure, document administration:write
* docs(AGENTS): link standards root and per-topic standards files at top of file
* docs(AGENTS): wrap standards-rule paragraph to satisfy MD013 line-length
* fix(claude-action): yamllint disable for long allowedTools line
* fix(claude-action): remove invalid 'administration' permission scope; document GH_PAT_WORKFLOWS as the actual mechanism
* docs(ci-standards): replace bogus 'administration: write' note with explanation of how admin ops actually work via GH_PAT_WORKFLOWS
* feat(workflows): centralize standards via reusable workflows (#87)
* feat(workflows): centralize standards via reusable workflows
Build org-wide reusable workflows for the four standards that previously
required full inline copies in every downstream repo, and migrate the
matching standards/workflows/*.yml templates to thin caller stubs that
delegate via `uses: petry-projects/.github/.github/workflows/*-reusable.yml@main`.
This extends the pattern already proven by feature-ideation and the
existing claude-code-reusable workflow to the rest of the standard set:
- dependency-audit-reusable.yml (zero per-repo config)
- dependabot-automerge-reusable.yml (uses secrets: inherit for APP_*)
- dependabot-rebase-reusable.yml (uses secrets: inherit for APP_*)
- agent-shield-reusable.yml (inputs for severity/required-files/org-ref)
The standards/workflows/claude.yml template was also still the inline
115-line version even though claude-code-reusable.yml has existed for
weeks; migrate it to a stub matching the central repo's own claude.yml.
Each migrated stub now carries a uniform "SOURCE OF TRUTH" header block
telling agents what they may and may not edit. Net effect: ~580 lines
removed from standards/workflows, single point of maintenance for the
five centralizable workflows.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(workflows): grant read permissions to dependabot caller stubs
Reusable workflows can be granted no more permissions than the calling
workflow has. The dependabot-automerge and dependabot-rebase stubs had
`permissions: {}` at workflow level with no job-level overrides, which
intersected to zero — the reusable's `gh pr ...` calls would fail
because GITHUB_TOKEN had no scopes.
Fix: declare `contents: read` and `pull-requests: read` on the calling
job, matching the scopes the reusable's job already declares. Caught
by Copilot review on #87.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs(workflows): note permissions stanza in immutable-stub contract
CodeRabbit follow-up on #87: now that the dependabot stubs declare a
job-level permissions block (required for the reusable's gh API calls),
add it to the "MUST NOT change" list so future adopters don't strip it.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(workflows): pin reusable callers to @v1 and document tier model (#88)
* feat(workflows): pin all reusable callers to @v1 + add tier model
Pins all stubs in standards/workflows/ and the central repo's own
.github/workflows/claude.yml from @main to @v1. From here on, a bad
commit on main cannot break every downstream repo simultaneously —
breaking changes will publish v2 and downstream repos opt in.
Adds a "Centralization tiers" section to ci-standards.md documenting
the three tiers (stub / per-repo template / free per-repo) so future
agents know whether a workflow file is editable, what they may tune,
and where to send fixes when behavior needs to change.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* revert(workflows): keep central claude.yml caller at @main in this PR
claude-code-action validates that .github/workflows/claude.yml in a PR
is byte-identical to main, so updating it within a normal PR is
impossible — the validation fails before the merge can land. Updating
the central repo's own caller will be done as a tiny separate change
after this lands.
Standards stubs remain pinned to @v1 — that is the change that matters
for downstream repos.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(workflows): unify feature-ideation header + correct tier doc
Address Copilot review on #88:
1. feature-ideation.yml: prepend the same SOURCE OF TRUTH header block
used by the other Tier 1 stubs so the claim "Tier 1 stubs all carry
an identical header" is actually true.
2. ci-standards.md tier table: drop the inaccurate "~30-line" claim
(feature-ideation.yml is ~95 lines because of the `project_context`
input). Replace with "thin caller stub" and call out feature-ideation's
required input alongside agent-shield's optional ones.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(compliance-audit): detect non-stub centralized workflow copies (#89)
* feat(compliance-audit): detect non-stub centralized workflow copies
Adds a new check to compliance-audit.sh that flags downstream repos
whose Tier 1 workflows are not the canonical thin caller stubs pinned
to @v1. For each centralizable workflow (claude, dependency-audit,
dependabot-{automerge,rebase}, agent-shield, feature-ideation), the
check distinguishes three failure modes for actionable findings:
1. Inline copy of pre-centralization logic
→ "is an inline copy instead of a thin caller stub"
2. References the reusable but not pinned to @v1 (e.g. @main, @v0)
→ "references the reusable but is not pinned to @v1"
3. Some other malformed uses: line
→ "the uses: line does not match the canonical stub"
The central .github repo is exempt because it owns the reusables and
may legitimately reference them by @main during release preparation.
Verified locally with hand-crafted fixtures: stub@v1 → no finding,
stub@main → flagged with the @v1 message, inline copy → flagged with
the inline message, missing file → no finding (handled by
check_required_workflows).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(compliance-audit): use fixed-string grep for reusable path match
CodeRabbit on #89: the second-branch grep used an unescaped
"petry-projects/.github/.github/workflows/${reusable}" pattern,
where BRE dots could in principle match any character. Switch to
\`grep -F\` (fixed-string) to match the path literally. No real-world
false positive observed (workflow paths contain literal dots), but
the hygiene is right.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(compliance-audit): anchor uses: regex + reduce per-repo API calls
Address remaining Copilot review feedback on #89:
1. Anchor the \`uses:\` regex to start-of-line + optional indent
(\`^[[:space:]]*uses:\`) so a commented \`# uses: ...@v1\` line
cannot fool the check into marking an inline workflow as compliant.
Verified with a fixture: a workflow whose only mention of @v1 is in
a YAML comment is now correctly flagged.
2. List \`.github/workflows/\` once per repo and short-circuit the
per-file check when the workflow isn't present, instead of probing
each of the six centralized files individually. Cuts up to 5 wasted
gh api calls per repo (worst case ~2500 fewer requests across the
org per audit run).
3. Drop the misleading "missing workflow caught by check_required_workflows"
comment — only some of the six are required (claude, dependency-audit,
dependabot-automerge, agent-shield); dependabot-rebase and feature-ideation
are intentionally optional/conditional. The new directory-listing
short-circuit handles all of these uniformly.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(apply-rulesets): use Tier 1 reusable check names (#94)
Closes #91.
`scripts/apply-rulesets.sh` previously only knew about claude.yml,
sonarcloud.yml, codeql.yml, and ci.yml when building required-status-
checks lists. For claude.yml it composed `<workflow-display-name> /
claude` (e.g. "Claude Code / claude") — but GitHub actually publishes
reusable check names as `<caller-job-id> / <reusable-job-id-or-name>`,
which is "claude-code / claude". The old format never matched real
checks, so the rule was effectively never satisfied — which is why
markets and bmad-bgreat-suite deadlocked at merge time after #87.
Fix:
- Drop the legacy claude.yml block.
- Hardcode the new check names for the centralized workflows that ARE
safe to require: `agent-shield / AgentShield` and
`dependency-audit / Detect ecosystems`.
- Document why claude-code / claude, the per-ecosystem dependency-audit
jobs, dependabot-{automerge,rebase}, and feature-ideation are NOT
required: claude-code's app-token validation deadlocks workflow PRs;
per-ecosystem jobs report SKIPPED when their lockfile is absent and
required-but-skipped fails the gate; the dependabot/feature-ideation
jobs run on triggers other than regular PRs.
After this lands, run `apply-rulesets.sh` against every petry-projects
repo to converge on the new names.
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(workflows): address CodeRabbit suggestions deferred from #87 (#93)
* fix(workflows): address CodeRabbit suggestions deferred from #87
Closes #90.
1) agent-shield-reusable.yml — SKILL.md frontmatter regex now allows
optional leading whitespace (`^[[:space:]]*name:` /
`^[[:space:]]*description:`), so indented YAML keys (e.g. under a
`metadata:` parent) are recognised as present. Previously the strict
column-zero anchor missed them.
2) dependabot-rebase-reusable.yml — fix vacuous-truth merge gate.
`[].statusCheckRollup[]? | ... | all(...)` returns true on an empty
list (logical convention), which made a PR with no status checks
appear "all green" and trigger an auto-merge. New gate also requires
at least one COMPLETED check before merging, in addition to the
existing all-pass and zero-pending requirements. Also collapses the
three `gh pr view` calls into one round-trip via a shared $ROLLUP.
3) dependency-audit-reusable.yml — cargo audit no longer re-runs per
workspace member. The new logic finds workspace roots (Cargo.toml
files containing `[workspace]`) and audits them once each, then
audits standalone crates whose dir is not under any workspace root.
For a workspace with N members, that's 1 audit instead of N+1.
4) dependency-audit-reusable.yml — pip-audit now audits both
pyproject.toml AND requirements.txt when both exist in the same
directory (some projects ship pyproject for tooling and
requirements.txt for pinned runtime deps). Previously the elif
branch made requirements.txt unreachable.
All four were originally raised by CodeRabbit on petry-projects/.github#87
and intentionally deferred to keep that PR no-behavior-change.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(workflows): single space before cron comment in feature-ideation stub
The canonical stub had three spaces aligning the comment after the cron
expression. Repos that run prettier in their lint chain (e.g.
google-app-scripts) hit a `prettier --check` failure on every fresh
adoption — see petry-projects/google-app-scripts#151. Bringing the
template in line with prettier defaults so future adopters don't drift.
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(compliance-audit): detect stale required-check names in rulesets (#96)
* feat(compliance-audit): detect stale required-check names in rulesets
Closes #92.
Adds `check_centralized_check_names` to compliance-audit.sh. For every
non-`.github` repo in the org, fetches the active required-status-check
contexts from BOTH the new ruleset system (gh api .../rules/branches/main)
and classic branch protection (gh api .../branches/main/protection),
then flags two distinct problems:
1. Stale pre-centralization names (`claude`, `claude-issue`,
`AgentShield`, `Detect ecosystems`) — emits
`stale-required-check-<old-name>` with the canonical replacement in
the message.
2. `claude-code / claude` listed as required — emits
`required-claude-code-check-broken` because that check is
structurally incompatible with workflow-modifying PRs:
claude-code-action's GitHub App refuses to mint a token whenever
the PR diff includes a workflow file, so the check fails on every
workflow PR and the merge gate becomes a deadlock. This was the
exact root cause of the markets/bmad-bgreat-suite stuck PRs from
#87 sweep.
Tested locally with stub fixtures for all four cases (stale claude,
stale AgentShield, broken claude-code/claude, clean ruleset).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(compliance-audit): never recommend renaming claude → claude-code/claude
CodeRabbit on #96: the rename map said `claude` → `claude-code / claude`,
but a separate check correctly flags `claude-code / claude` as a forbidden
required check (it deadlocks workflow PRs). Following the rename
recommendation would have moved a repo from one broken state to another.
Fix: split the logic into two distinct sets.
1. `renames[]` — only contains checks where the new name is safe to
require (AgentShield, Detect ecosystems). These get a "rename to X"
message.
2. `forbidden_required[]` — contains every claude variant (legacy and
post-centralization). Any of them as a required check emits a
stable per-name finding telling the maintainer to REMOVE it from
required checks, not rename it.
The Claude review check still runs and surfaces feedback on normal PRs
without being a merge gate; only the required-status-checks pin is
removed.
Each forbidden_required entry maps to a stable check id so findings
don't churn across audit runs from slashes in canonical names.
Verified locally with stub fixtures for all five cases:
stale `claude` -> required-claude-check-broken
stale `claude-issue` -> required-claude-issue-check-broken
`claude-code / claude` -> required-claude-code-check-broken
stale `AgentShield` -> stale-required-check-AgentShield (rename)
clean ruleset -> 0 findings
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(compliance-audit): suffix-match forbidden Claude required checks
Address remaining CodeRabbit feedback on #96: the previous exact-match
list (`claude-code / claude`, `claude-code / claude-issue`) only caught
the canonical caller-job-id. Repos with a custo…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #91.
scripts/apply-rulesets.shpreviously composed claude.yml's required check name as<workflow-display-name> / claude(e.g.Claude Code / claude). GitHub actually publishes reusable check names as<caller-job-id> / <reusable-job-id-or-name>—claude-code / claude. The old format never matched real checks, which is why petry-projects/markets#78 and petry-projects/bmad-bgreat-suite#78 deadlocked yesterday.Changes
build_required_status_checks.agent-shield / AgentShielddependency-audit / Detect ecosystemsTest plan
bash -nandshellcheckcleanapply-rulesets.shagainst each petry-projects repo to converge🤖 Generated with Claude Code
Summary by CodeRabbit