fix: pin feature-ideation.yml reusable workflow to SHA

[don-petry]

Summary

• Pins petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from @v1 to SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to resolve the action-pinning compliance finding
• Syncs file with latest upstream template: adds dry_run workflow_dispatch input, actions: read permission, and sources_file optional comment

SHA Verification

SHA was looked up via:

gh api repos/petry-projects/.github/git/refs/tags/v1 --jq '.object.sha'
# → ee22b427cbce9ecadcf2b436acb57c3adf0cb63d

Closes #88

Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added optional dry_run parameter for manual workflow dispatches

• Chores

  • Updated workflow to reference stable commit hash instead of tag
  • Enhanced job permissions to include actions access

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates the feature-ideation workflow stub to add a manual dry_run toggle for testing, pins the reusable workflow reference to a specific commit hash for compliance, updates job permissions, and wires the new input through to the downstream reusable workflow.

Changes

Feature Ideation Workflow Updates

Layer / File(s)	Summary
Workflow dispatch input and job configuration .github/workflows/feature-ideation.yml	Adds a new workflow_dispatch boolean input dry_run (default false) to manually control Discussion mutation behavior. Updates the reusable workflow reference from moving @v1 tag to pinned commit hash ee22b427cbce9ecadcf2b436acb57c3adf0cb63d for compliance, and expands job permissions to include actions: read.
Dry-run parameter pass-through .github/workflows/feature-ideation.yml	Wires the new dry_run input through to the reusable workflow via with.dry_run, maintaining backward compatibility with default false.
Documentation and formatting updates .github/workflows/feature-ideation.yml	Updates surrounding stub documentation text and adjusts comment formatting while preserving the existing cron schedule.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• #88 — Directly addresses the compliance finding by pinning the reusable workflow reference from @v1 to a specific commit hash instead of a moving tag.

Possibly related PRs

• petry-projects/markets#68 — Modifies the same workflow stub's jobs.ideate reusable-workflow reference and forwarded inputs, so the dry_run plumbing and workflow caller changes overlap.
• petry-projects/markets#78 — Updates the same .github/workflows/feature-ideation.yml stub by adjusting reusable workflow invocation and inputs.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: pinning the feature-ideation.yml reusable workflow from a version tag to a specific commit SHA.
Linked Issues check	✅ Passed	The PR fully addresses issue #88 by pinning the reusable workflow to SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d, resolving the action-pinning compliance finding.
Out of Scope Changes check	✅ Passed	While the PR includes additional changes (dry_run input, actions: read permission, sources_file comment) beyond the core SHA pinning requirement, these represent synchronization with the upstream template and maintain backward compatibility.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-88-20260419-1833

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@don-petry — PR is ready for review and merge. This pins the feature-ideation-reusable.yml reusable workflow to SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d (the current v1 tag), resolving the action-pinning compliance finding in issue #88.

[Copilot]

Pull request overview

This PR updates the repository’s Feature Ideation workflow caller stub to comply with action-pinning requirements by pinning the reusable workflow reference to a specific commit SHA, while also syncing a few upstream-template improvements (new input and permissions).

Changes:

• Pin petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from @v1 to commit ee22b427cbce9ecadcf2b436acb57c3adf0cb63d.
• Add dry_run as a workflow_dispatch input and forward it to the reusable workflow.
• Add actions: read to the job token permissions and document optional sources_file usage.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The file header states you “MUST NOT change” the uses: line and job-level permissions: block, but this PR intentionally updates both (SHA pin + actions: read). Consider updating that guidance to clarify that syncing/pinning the reusable ref and adding required permissions is allowed, so future editors aren’t confused by the contradiction.

[don-petry]

Outdated review (superseded by re-review at 695906723bdff7af2d88030375c7d8ba35b1dc40) — click to expand.

Automated review — APPROVED

Risk: MEDIUM
Reviewed commit: 51e3e0161ff8715b76da9d7d914021d8268b7f19
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

PR #129 pins a reusable GitHub Actions workflow to a specific commit SHA to satisfy action-pinning compliance (issue #88). All CI checks pass (CodeQL, SonarCloud, AgentShield all green with 0 security hotspots). The changes are a net security improvement; risk is MEDIUM only because GitHub Actions files are in scope — no escalation warranted.

Findings

Minor

• [minor] .github/workflows/feature-ideation.yml:94 — PR description verifies the SHA via gh api repos/petry-projects/.github/git/refs/tags/v1 --jq .object.sha. For annotated tags this returns the tag-object SHA, not the commit SHA. GitHub Actions resolves uses: to commit SHAs, so if v1 is an annotated tag the pinned SHA would be the tag object and the workflow would fail at runtime. The SHA should be verified with --jq '.object | if .type == "tag" then .sha else .sha end' or by dereferencing the tag object. This is worth confirming before merge but is a correctness risk, not a security risk.

Info

• [info] .github/workflows/feature-ideation.yml:94 — SHA pinning of reusable workflow is the correct supply-chain security practice. The comment # v1 alongside the SHA is good for maintainability.
• [info] .github/workflows/feature-ideation.yml:88 — Addition of actions: read permission is correctly scoped and documented in the inline comment (needed for feed-checkpoint last-successful-run query).
• [info] (ci) — All CI checks passed: CodeQL (SUCCESS), SonarCloud Quality Gate (0 new issues, 0 security hotspots), AgentShield (SUCCESS), Dependency audit (SKIPPED — no packages changed). No scanner warnings.
• [info] .github/workflows/feature-ideation.yml:110 — New dry_run boolean input is correctly typed and forwarded as ${{ inputs.dry_run || false }}. Default is false, so existing scheduled runs are unaffected.

CI status

All CI checks passed: CodeQL (SUCCESS), SonarCloud Quality Gate (0 new issues, 0 security hotspots), AgentShield (SUCCESS), Dependency audit (SKIPPED — no packages changed).

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[petry-projects-pr-review-agent]

Automated approval after review posting fix

[don-petry]

@claude Please address all open review comments on this PR from CodeRabbit and Copilot.

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

@dev-lead - please fix this PR

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 77077edf711a7b7dfeb163b09ca91d84ce032348
Review mode: triage-approved (single reviewer)

Summary

This PR pins the feature-ideation-reusable.yml reusable workflow from the mutable @v1 tag to immutable commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d, and syncs three small upstream-template improvements: a dry_run workflow_dispatch input, an actions: read permission (required by the reusable workflow's feed-checkpoint step), and an optional sources_file configuration comment. This is a security-hardening change that resolves the compliance finding in #88. The reviewed diff is unchanged in scope since the prior triage approval at 14fe6de9 — only main-branch merge commits have landed since.

Linked issue analysis

Closes #88 (compliance finding: unpinned-actions-feature-ideation.yml). The fix substantively addresses the finding by replacing the mutable @v1 ref with an immutable commit SHA. Pinned SHA was verified to exist in petry-projects/.github (commit message: feat(feature-ideation): add curated reputable source list for Mary (#102), dated 2026-04-17).

Findings

• CodeRabbit inline comment (Line 91) — not actionable. CodeRabbit flags that the pinned SHA ee22b427… does not match what the v1 tag currently resolves to (d3d768da…) and asks for an update. This is a misunderstanding of SHA-pinning intent: the entire purpose of pinning to a SHA is to not follow tag movements (which v1 is allowed to do). The pinned SHA is valid, references real code in the upstream repo, and the workflow will resolve correctly at runtime. No change required. The # v1 trailing comment is mildly stale (it now refers to a prior v1 release) but is informational only.
• Optional follow-up: if a newer reusable workflow version (e.g., a security or bug fix landed in upstream v1 since this SHA) is needed, a separate PR can bump the pin — but that's a maintenance task, not a defect in this PR.
• Merge-state blocker (operational, not code-review). This branch is currently in CONFLICTING / DIRTY state with a long history of auto-rebase failures. The PR cannot merge until the conflicts are resolved manually. This does not affect the code-review verdict but must be addressed before merging.

CI status

All checks green: Analyze (actions) ✓, CodeQL ✓, SonarCloud quality gate passed.

---

Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

Superseded by automated re-review at 77077ed.

[don-petry]

Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead.