feat: implement issue #87 — Scorecard: Pinned-Dependencies (6/10)

[don-petry]

Closes #87

Implemented by dev-lead agent. Please review.

[coderabbitai]

Warning

Review limit reached

@github-actions[bot], we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 minutes and 5 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a7aa4bc1-09e4-4bd5-9529-9b027ccb5953

📥 Commits

Reviewing files that changed from the base of the PR and between 963f6a5 and fbcc3ae.

📒 Files selected for processing (7)

• .github/workflows/dependabot-automerge.yml
• .github/workflows/dependency-audit.yml
• .github/workflows/dev-lead.yml
• .github/workflows/pr-auto-review.yml
• .github/workflows/pr-review.yml
• scripts/apply-repo-settings.sh
• scripts/setup-code-quality-ruleset.sh

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev-lead/issue-87-20260606-1408

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request simplifies the preflight check in both scripts/apply-repo-settings.sh and scripts/setup-code-quality-ruleset.sh by replacing the single-iteration loop with a direct check for the gh command. The reviewer suggested improving error handling by redirecting error messages to standard error (stderr) and suppressing potential error output from command -v by redirecting its standard error to /dev/null.

[don-petry]

Dev-Lead — review-changes (applied)

Changes committed and pushed.

[don-petry]

Dev-Lead — fix-reviews (no-changes)

Agent reasoning

Addressed 0 threads:
(No open threads — both review threads were already resolved and outdated before this run)
CI checks: 3 CodeQL checks QUEUED (not failed — no Tier 1 blockers)
Review state: COMMENTED only (no CHANGES_REQUESTED — no Tier 1 blockers)
Test verification: PASS — 301 tests across 12 suites, 0 failures
Files changed: none
```
**Assessment:** PR #369 is clean. Both `gemini-code-assist` threads (`PRRT_kwDORFz9wc6HklZX`, `PRRT_kwDORFz9wc6HklZe`) about redirecting stderr in `scripts/apply-repo-settings.sh` and `scripts/setup-code-quality-ruleset.sh` are already resolved and marked outdated. No Tier 1 blockers exist.

[don-petry]

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning

Issues addressed: 0
Files changed: none
Skipped (informational): 0
PR #369 is in a clean state — no actionable bot findings, no open unresolved threads, and no CI failures. No changes required.
```

[Copilot]

Pull request overview

Pins reusable GitHub Actions workflow dependencies by commit SHA to improve OpenSSF Scorecard Pinned-Dependencies compliance (issue #87), plus a small cleanup in repo admin helper scripts.

Changes:

• Pin org reusable workflows previously referenced by @main/@v2 to specific commit SHAs in multiple workflow caller stubs.
• Simplify gh CLI preflight checks in repo admin scripts (remove single-item loop).

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
scripts/setup-code-quality-ruleset.sh	Simplifies gh preflight check to a direct command -v gh guard.
scripts/apply-repo-settings.sh	Simplifies gh preflight check to a direct command -v gh guard.
.github/workflows/pr-review.yml	Pins the pr-review reusable workflow call to a commit SHA.
.github/workflows/pr-auto-review.yml	Pins the pr-auto-review reusable workflow call to a commit SHA.
.github/workflows/dev-lead.yml	Pins the dev-lead reusable workflow call to a commit SHA.
.github/workflows/dependency-audit.yml	Pins the dependency-audit reusable workflow call to a commit SHA.
.github/workflows/dependabot-automerge.yml	Pins the dependabot-automerge reusable workflow call to a commit SHA.

[don-petry]

Dev-Lead — review-changes (applied)

Changes committed and pushed.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

[don-petry]

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning

- No bot comment was provided; no actionable issues to fix.
**Tier 1 blocker check:**
- CI checks: All **pass** (CodeQL, Node.js Tests, Playwright UI Tests, SonarCloud, dependency-audit, autofix, build-and-test, etc.)
- Reviews: No `CHANGES_REQUESTED` states — only `COMMENTED` from `gemini-code-assist` and `copilot-pull-request-reviewer`
**Open review threads (from `copilot-pull-request-reviewer`):**
- `PRRT_kwDORFz9wc6HknEG` — `.github/workflows/dependency-audit.yml` header guidance inconsistency → **already fixed** in commit `edf2704` (header updated to allow pinned SHA refresh)
- `PRRT_kwDORFz9wc6HknEU` — `.github/workflows/dependabot-automerge.yml` same issue → **already fixed** in commit `edf2704`
These threads were not resolved because the ACTOR field was empty — only threads from the triggering bot should be resolved per task constraints.
**Files changed:** None (no changes needed)
**Skipped (informational):** 2 copilot comment threads — concerns pre-emptively addressed by existing commits before this agent ran

[don-petry]

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning

Issues addressed: 0
Tier 1 blockers: 0
CI Status: All checks passing
  ✓ Analyze (actions/javascript-typescript/python)
  ✓ CodeQL
  ✓ CodeRabbit (Review completed)
  ✓ Node.js Tests
  ✓ Playwright UI Tests
  ✓ Secret scan (gitleaks)
  ✓ SonarCloud
  ✓ agent-shield / AgentShield
  ✓ build-and-test, coverage, dependency-audit/npm audit
Review states: No CHANGES_REQUESTED
  • gemini-code-assist[bot] — COMMENTED
  • copilot-pull-request-reviewer[bot] — COMMENTED
Open threads: 2 threads from copilot-pull-request-reviewer (not the specified bot)
  • PRRT_kwDORFz9wc6HknEG — about dependabot-automerge.yml header clarification
  • PRRT_kwDORFz9wc6HknEU — about dependency-audit.yml header clarification
  Note: Both threads were raised before the PR updated the headers; the PR already
  addresses the concern. These are from copilot-pull-request-reviewer, not the
  specified bot actor, so they are not resolved here.
Files changed: (none — no changes required)
Skipped (informational): 2 copilot review thread comments (already addressed by PR)
```
The PR is in good shape — all CI checks pass, no reviews request changes, and the bot comment was empty (no actionable issues). The two open Copilot threads are about header comment clarity in workflow files; those concerns are already addressed by the PR's header updates to `dependabot-automerge.yml` and `dependency-audit.yml`, but since the actor was unspecified, those threads are left for Copilot or a human reviewer to resolve.

[don-petry]

@dev-lead please process and advance this PR — fix any failing CI, resolve outstanding review threads, and enable auto-merge once it's green and approvable.

[github-actions]

Auto-rebase blocked — the base branch contains .github/workflows/ changes that require the workflows permission to merge into this branch, but the auto-rebase workflow's token does not have that permission.

Please rebase this branch manually:

git fetch origin
git rebase origin/main
git push --force-with-lease