enhancement: Automate remediation of recurring compliance-audit findings

[don-petry]

Summary

There are 42+ open compliance-audit issues across the org, with recurring patterns that could be automated instead of manually resolved.

Recurring Patterns

Finding	Repos Affected
Missing CODEOWNERS	google-app-scripts, ContentTwin, broodly, markets, TalkTerm
Missing code-quality config	google-app-scripts, ContentTwin, broodly, markets, TalkTerm
Missing security/dependencies labels	All repos
Wiki enabled (policy says disable)	All except ContentTwin
Discussions not enabled (or enabled when shouldn't be)	Multiple
Unpinned actions	broodly, markets, TalkTerm
Missing CI/CodeQL workflows	ContentTwin, TalkTerm, google-app-scripts

Recommended Actions

1. Create a remediation workflow that can auto-fix common findings:
   • Generate CODEOWNERS from repo admin/contributor data
   • Create missing labels via gh label create
   • Disable wikis via API where policy requires it
   • Pin action versions to SHAs using pin-github-action tool
2. Add the remediation as a phase in the compliance audit workflow (audit → report → auto-fix → PR)
3. Prioritize fixes that unblock other automation (e.g., missing labels block Dependabot auto-merge labeling)

Context

Identified during weekly org CI/Security survey on 2026-04-05. The compliance audit workflow creates issues but doesn't remediate — closing the loop would dramatically reduce toil.

[claude]

Claude finished @don-petry's task in 8m 55s —— View job • claude/issue-35-20260406-0321 • Create PR ➔

---

Compliance Remediation Workflow — Complete

• Gather context and read AGENTS.md / org standards
• Explore existing compliance audit workflow
• Implement scripts/compliance-remediate.sh
  • Direct API remediations: settings (wiki, auto-merge, discussions), labels
  • PR-based remediations: CODEOWNERS generation, action SHA pinning
  • Dry-run support and remediation report output
  • Self-review fixes: set -e fault isolation, action detection regex
• Commit and push changes
• Create PR

---

What was implemented

scripts/compliance-remediate.sh reads findings.json from compliance-audit.sh and closes the audit → report → auto-fix → PR loop.

Direct API remediations (applied immediately, no PR)

Finding	Fix
has_wiki=true	PATCH → has_wiki=false
allow_auto_merge=false	Enables auto-merge (required for Dependabot)
delete_branch_on_merge=false	Enables auto-delete of merged branches
has_discussions=false	Enables discussions
Missing required labels	Creates with correct colors/descriptions per github-settings.md

PR-based remediations (creates branch + PR in target repo)

Finding	Fix
missing-codeowners	Generates .github/CODEOWNERS from org admins, opens PR
unpinned-actions-<file.yml>	Resolves tag → commit SHA (handles annotated tags), pins all unpinned refs, opens PR

Skipped with explanation (for Claude agent pickup)

• Missing workflow files, rulesets, dependabot.yml, CLAUDE.md/AGENTS.md

Usage

FINDINGS_FILE=/path/to/findings.json bash scripts/compliance-remediate.sh
DRY_RUN=true FINDINGS_FILE=/path/to/findings.json bash scripts/compliance-remediate.sh

Integrating with the audit workflow

Add a remediate job to compliance-audit-and-improvement.yml after the audit job:

remediate:
  name: Auto-Remediate Findings
  needs: audit
  if: needs.audit.result == 'success'
  runs-on: ubuntu-latest
  permissions:
    contents: write
    pull-requests: write
  env:
    GH_TOKEN: ${{ secrets.ORG_SCORECARD_TOKEN }}
  steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: compliance-report
        path: ${{ runner.temp }}/compliance-report
    - run: |
        FINDINGS_FILE="${{ runner.temp }}/compliance-report/findings.json" \
        REPORT_DIR="${{ runner.temp }}/remediation-report" \
        bash scripts/compliance-remediate.sh

Note: A standalone compliance-remediate.yml workflow was also authored on this branch but cannot be committed by the Claude GitHub App (requires workflows token scope). It can be manually added using a PAT with workflow scope.

@don-petry — ready for review! Please check the CODEOWNERS/wiki/label remediation logic matches expectations, and add the remediate job snippet above to compliance-audit-and-improvement.yml (or use a PAT to push the standalone workflow file from this branch).

[claude]

Claude finished @don-petry's task in 6m 58s —— View job • claude/issue-35-20260406-0341 • Create PR ➔

---

Compliance Remediation — Complete

• Read CLAUDE.md and gather repo context
• Review existing scripts and workflow structure
• Implement scripts/compliance-remediate.sh
  • Direct API remediations (settings: wiki, auto-merge, discussions; labels)
  • PR-based remediations (CODEOWNERS generation, action SHA pinning)
  • Dry-run support and remediation report output
• Commit and push changes
• Self-review fixes (annotated tag resolution, ensure compliance-audit label exists before PR creation)

---

What was implemented

scripts/compliance-remediate.sh reads findings.json from compliance-audit.sh and closes the audit → report → auto-fix → PR loop.

Direct API remediations (applied immediately)

Finding	Fix
has_wiki=true	PATCH → has_wiki=false
allow_auto_merge=false	PATCH → allow_auto_merge=true
delete_branch_on_merge=false	PATCH → delete_branch_on_merge=true
has_discussions=false	PATCH → has_discussions=true
missing-label-<name>	gh label create with colors/descriptions from standards/github-settings.md

PR-based remediations (creates branch + PR in target repo)

Finding	Fix
missing-codeowners	Fetches org admins, generates .github/CODEOWNERS, opens PR for review
unpinned-actions-<file.yml>	Resolves tag → commit SHA (handles annotated vs. lightweight tags), patches file, opens PR

Skipped (logged for human/agent pickup)

Missing workflow files, rulesets, dependabot.yml, CLAUDE.md/AGENTS.md, workflow permissions declarations

Usage

FINDINGS_FILE=/path/to/findings.json bash scripts/compliance-remediate.sh
DRY_RUN=true FINDINGS_FILE=/path/to/findings.json bash scripts/compliance-remediate.sh

Workflow integration snippet

To wire this into compliance-audit-and-improvement.yml after the audit job:

remediate:
  name: Auto-Remediate Findings
  needs: audit
  if: needs.audit.result == 'success'
  runs-on: ubuntu-latest
  permissions:
    contents: write
    pull-requests: write
  env:
    GH_TOKEN: ${{ secrets.ORG_SCORECARD_TOKEN }}
  steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: compliance-report
        path: ${{ runner.temp }}/compliance-report
    - run: |
        FINDINGS_FILE="${{ runner.temp }}/compliance-report/findings.json" \
        REPORT_DIR="${{ runner.temp }}/remediation-report" \
        bash scripts/compliance-remediate.sh

The workflow file itself cannot be committed by this agent (requires workflow token scope). Add the snippet above using a PAT with workflow scope.

@don-petry — the script is ready for review. Key things to verify:

1. The CODEOWNERS generation logic (org admins as fallback owners) matches your expectations
2. The action SHA pinning covers all the patterns in your repos
3. The workflow integration snippet above should be added to compliance-audit-and-improvement.yml using a PAT with workflow scope
   | claude/issue-35-20260406-0341