fix: Weekly Compliance Audit workflow broken — GH_TOKEN not passed to script

[don-petry]

Summary

The Weekly Compliance Audit workflow in .github is failing because the GH_TOKEN environment variable is empty when the shell script executes, despite being set in the workflow YAML.

Evidence

• Failed runs: 24014305873, 24014255856
• The gh CLI calls within the script fail due to missing authentication

Recommended Actions

1. Ensure GH_TOKEN or GITHUB_TOKEN is passed as an env var to the script step (not just the job level)
2. Verify the token has sufficient scope (repo, read:org) for cross-repo scanning
3. Consider using ORG_SCORECARD_TOKEN (PAT) if GITHUB_TOKEN lacks org-level access
4. Add a preflight check in the script: gh auth status before proceeding

Context

Identified during weekly org CI/Security survey on 2026-04-05.

[claude]

Claude finished @don-petry's task in 5m 47s —— View job • claude/issue-30-20260406-0321 • Create PR ➔

---

Fixing Weekly Compliance Audit Workflow

Root cause: The audit job sets GH_TOKEN at the job level, but the "Run compliance audit" step has its own env: block. While GitHub Actions should merge these, the safest fix is explicit step-level declaration. Additionally, there was no early-exit check when the token is missing, causing confusing gh CLI auth errors deep in the script.

• Gather context (read workflow and script files)
• Identify root cause
• Add preflight GH_TOKEN check + gh auth status to scripts/compliance-audit.sh
• Commit and push script changes
• Create PR

---

What was changed

scripts/compliance-audit.sh — added at the top of main():

# Preflight: verify GH_TOKEN is set and gh CLI is authenticated
if [ -z "${GH_TOKEN:-}" ]; then
  echo "::error::GH_TOKEN is not set. Ensure ORG_SCORECARD_TOKEN secret is configured and passed as an env var to this step (not just at the job level)." >&2
  exit 1
fi
if ! gh auth status >/dev/null 2>&1; then
  echo "::error::gh auth failed — GH_TOKEN is set but authentication did not succeed. Check that ORG_SCORECARD_TOKEN is valid and has repo + read:org scopes." >&2
  exit 1
fi

---

Required manual change (workflow file)

The Claude GitHub App lacks the workflows permission and cannot push changes to .github/workflows/. Apply this one-line change manually to .github/workflows/compliance-audit-and-improvement.yml:

In the Run compliance audit step (job audit), add GH_TOKEN explicitly at the step level:

      - name: Run compliance audit
        id: audit
        env:
          GH_TOKEN: ${{ secrets.ORG_SCORECARD_TOKEN }}   # ← add this
          REPORT_DIR: ${{ runner.temp }}/compliance-report
          DRY_RUN: ${{ inputs.dry_run || 'false' }}
          CREATE_ISSUES: 'true'

Also verify ORG_SCORECARD_TOKEN is set in Settings → Secrets with repo + read:org scopes.

---

[claude]

Claude finished @don-petry's task in 4m 40s —— View job • claude/issue-30-20260406-0341 • [Create PR ➔](https://github.com/petry-projects/.github/compare/main...claude/issue-30-20260406-0341?quick_pull=1&title=Issue%20%2330%3A%20Changes%20from%20Claude&body=This%20PR%20addresses%20issue%20%2330%0A%0AGenerated%20with%20%5BClaude%20Code%5D(https%3A%2F%2Fclaude.ai%2Fcode)

---

Fixing Weekly Compliance Audit Workflow (Issue #30)

• Read CLAUDE.md and gather context
• Review current state of workflow and script files
• Add preflight GH_TOKEN check + gh auth status to scripts/compliance-audit.sh
• Commit and push changes
• Create PR — petry-projects/.github#60
• Self-review PR
• CI is green (Lint ✅, ShellCheck ✅, SonarCloud ✅, Agent Security Scan ✅)

---

Summary

PR petry-projects/.github#60 adds a preflight authentication check to scripts/compliance-audit.sh that fails fast with clear ::error:: annotations when GH_TOKEN is unset or gh auth fails — addressing the root cause of confusing auth failures deep in the script.

What was changed: 12 lines added at the top of main() in scripts/compliance-audit.sh.

What still requires a manual change (Claude lacks workflows permission):

Add GH_TOKEN explicitly at the step level in .github/workflows/compliance-audit-and-improvement.yml:

      - name: Run compliance audit
        id: audit
        env:
          GH_TOKEN: ${{ secrets.ORG_SCORECARD_TOKEN }}   # ← add this line
          REPORT_DIR: ${{ runner.temp }}/compliance-report
          DRY_RUN: ${{ inputs.dry_run || 'false' }}
          CREATE_ISSUES: 'true'

Also verify ORG_SCORECARD_TOKEN exists in Settings → Secrets with repo + read:org scopes.

No CODEOWNERS file found in this repo — please tag the relevant reviewer(s) directly on the PR.
| Branch