docs: add CI/CD standards and workflow patterns#11
Merged
Conversation
Document standard CI configurations across all repos including required workflows, tech stack patterns, action pinning policy, permissions, secrets inventory, and a gap analysis of current repo coverage. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 6 minutes and 8 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdded a new organization-wide CI/CD standards document specifying required GitHub Actions workflows, triggers, permissions, secrets, action pinning, tech-stack CI templates, Dependabot expectations, an optional auto-fix pattern, and a repository CI status/gap matrix. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds an organization-wide CI/CD standards document for petry-projects, consolidating required workflows, recommended workflow patterns by tech stack, and operational policies (pinning, permissions, secrets) to make CI onboarding consistent across repositories.
Changes:
- Documented required CI/CD workflows (CI, CodeQL, SonarCloud, Claude Code, Dependabot auto-merge, dependency audit) with example configurations.
- Added standardized policies for action pinning (SHA), least-privilege permissions, secrets inventory, and CI job naming for branch protection.
- Included a new-repo onboarding checklist and an audit-style “current repo status + gaps” matrix.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Clarify that only Dependabot workflows have reusable templates;
CI/CodeQL/SonarCloud/Claude are documented as copy-and-adapt patterns
- Fix top-level permissions in CI example to use {} per permissions policy
- Add branches filter to SonarCloud pull_request trigger for consistency
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 6
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@standards/ci-standards.md`:
- Around line 294-296: Update the examples that currently use mutable tag
references like `@v4` so they demonstrate the mandated SHA pinning (the "MUST"
SHA pinning policy) instead of mutable tags; either replace each `@v4` example
with the equivalent SHA-pinned reference or, if you must show both, provide a
single paired example that shows the tag form alongside the SHA-pinned form and
then use SHA-pinned references consistently throughout the document so examples
comply with the standard and prevent copy/paste mistakes.
- Line 385: The example uses a mutable tag "actions/checkout@v4" which violates
SHA-pinning policy; update the example to a fixed commit SHA pin (replace
"actions/checkout@v4" with "actions/checkout@<commit-sha>" or equivalent full
SHA reference) so the CI auto-fix example demonstrates an immutable,
reproducible pin; ensure the change appears where "actions/checkout@v4" is
referenced in the document.
- Around line 42-43: The example uses a top-level "permissions: contents: read"
which conflicts with the "Permissions Policy" guidance that prescribes top-level
"permissions: {}" with job-level grants; update the example to follow the
prescribed pattern by switching to an empty top-level permissions block and
granting needed permissions on the job(s), or add a short clarifying note in the
Permissions Policy section stating that for single-job workflows a top-level
"permissions: contents: read" is acceptable (and reference the existing correct
examples like sonarcloud.yml and claude.yml) so readers understand when each
pattern should be used.
- Around line 185-196: Replace all mutable GitHub Action tags (e.g.,
actions/checkout@v4, actions/setup-node@v4 and any other `@vX` usages in the
TypeScript/npm, TypeScript/pnpm, Go, Electron, and Python workflow pattern
blocks) with the corresponding full commit SHA pins used in the
dependency-audit.yml example; update each step that uses actions/checkout,
actions/setup-node and any third-party action references so they use the exact
SHA commit string instead of `@v`* to comply with the document’s SHA pinning
policy and mirror the format shown in dependency-audit.yml.
- Line 225: Update the CI Go version setting by changing the go-version key
value from '1.24' to the current stable release '1.26.1'; locate the go-version
entry (the YAML key "go-version") in the CI config and replace the version
string, then run the CI pipeline locally or via a dry run to ensure toolchains
and caches are refreshed and tests pass with Go 1.26.1.
- Around line 121-159: The workflow example named "Claude Code" uses a mutable
tag "anthropics/claude-code-action@v1"; update the uses line to pin the action
to a specific commit SHA (e.g., replace `@v1` with @<COMMIT_SHA>) so it complies
with the rule "All GitHub Actions MUST be pinned to a specific commit SHA";
ensure the chosen SHA corresponds to the intended v1 release and update any
accompanying comment to indicate the SHA is intentionally pinned.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 908608ed-2f23-470d-aa22-fdd2b99ffac0
📒 Files selected for processing (1)
standards/ci-standards.md
- Pin SHAs in SonarCloud, Claude Code, and auto-fix workflow examples - Clarify that tech stack patterns use tags for illustration only - Update Go version example to use 'stable' with note about pinning Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
standards/ci-standards.md (1)
296-301:⚠️ Potential issue | 🟠 MajorPolicy exception text undermines the mandatory SHA-pinning rule.
This note explicitly permits mutable-tag examples, which conflicts with the MUST requirement in Line 279 and leaves copy/paste risk across Lines 187-271. Make examples SHA-pinned (or provide one side-by-side conversion example once, then keep all patterns pinned).
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@standards/ci-standards.md` around lines 296 - 301, The note in "Workflow Patterns by Tech Stack" allows mutable-tag examples which contradicts the MUST SHA-pinning rule in the "Required Workflows" section; update the examples so they are SHA-pinned (or present a single side-by-side example showing tag → SHA conversion and then convert all other examples to SHA-pinned) and remove the sentence that permits `@v4`-style tags to avoid copy/paste risk—ensure references in the "Workflow Patterns by Tech Stack" section and any illustrative snippets now use explicit SHA pins or point to the single conversion example.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@standards/ci-standards.md`:
- Around line 309-317: Add a short clarification that the top-level permissions:
{} pattern is recommended for multi-job workflows to reset all permissions and
then grant per-job rights, but single-job workflows may instead set
least-privilege at the top level (for example permissions: contents: read) to
avoid repeating per-job blocks; update the text around the example that shows
permissions: {} and the jobs.my-job snippet and reference the dependency-audit
workflow as an example where top-level permissions are used.
---
Duplicate comments:
In `@standards/ci-standards.md`:
- Around line 296-301: The note in "Workflow Patterns by Tech Stack" allows
mutable-tag examples which contradicts the MUST SHA-pinning rule in the
"Required Workflows" section; update the examples so they are SHA-pinned (or
present a single side-by-side example showing tag → SHA conversion and then
convert all other examples to SHA-pinned) and remove the sentence that permits
`@v4`-style tags to avoid copy/paste risk—ensure references in the "Workflow
Patterns by Tech Stack" section and any illustrative snippets now use explicit
SHA pins or point to the single conversion example.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 5fbb6627-8aa1-4ba5-9c74-0e32adc875ff
📒 Files selected for processing (1)
standards/ci-standards.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Mark markets Dependabot config as partial (missing npm ecosystem) - Mark google-app-scripts auto-merge as older pattern - Flag non-standard npm limit:10 on google-app-scripts - Add CodeQL for TalkTerm to missing list - Add version inconsistency section (SonarCloud, CodeQL, Claude Code) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3 tasks
don-petry
commented
Apr 4, 2026
Contributor
Author
don-petry
left a comment
don-petry
left a comment
There was a problem hiding this comment.
Review: docs: add CI/CD standards and workflow patterns
Comprehensive CI/CD standards covering required workflows, tech stack patterns, SHA-pinning policy, permissions, secrets, and gap analysis.
Findings
Issue: SHA-pinning inconsistency in examples (flagged by CodeRabbit, partially addressed)
- The document mandates SHA-pinned actions, but workflow pattern examples use mutable tags (
@v4,@v5,@v6). While the author added a note explaining these are "illustrative patterns," a standards doc with policy-violating examples is confusing. Consider:- Adding a visible callout box (not just a note) warning about this
- Or pinning the example SHAs with version comments
Issue: Permissions example inconsistency
- The CI example uses
permissions: contents: readat top level, but the Permissions Policy section says workflows MUST usepermissions: {}at top level with per-job permissions.
Non-blocking:
- Cross-link to
github-settings.md(PR #10) — same dependency, merge together - Gap analysis matrix is valuable — identifies specific missing workflows per repo
CI: All passing (Analyze, CodeQL, CodeRabbit)
Verdict: Ready for human approval after addressing the SHA-pinning example concern. The permissions inconsistency should be fixed to avoid confusion when used as a reference.
Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com
Contributor
Author
|
@claude please remove references to repo specific details. This is a high level standard, not per repo specific implementation details. |
don-petry
pushed a commit
that referenced
this pull request
Apr 5, 2026
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
All five quality checks (SonarCloud, CodeQL, Claude, CI, Coverage) are required on every repo. Updated status table with Coverage column, prioritized gap remediation list, and version alignment targets. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
standards/ci-standards.md (1)
296-301:⚠️ Potential issue | 🟠 MajorRemove the tag-based exception; it undermines the mandatory SHA policy.
This note directly conflicts with Line 279 (“MUST be pinned to a specific commit SHA”) and invites copy/paste non-compliance across the tech-stack examples.
Suggested doc fix
-> **Note on examples in this document:** The "Workflow Patterns by Tech Stack" -> section uses tag references (e.g., `@v4`) for readability since those are -> illustrative patterns, not copy-paste templates. The "Required Workflows" -> section above uses SHA-pinned references where possible. When copying any -> example to a repository, always look up the current SHA for each action and -> pin to it with a version comment. +> **Note on examples in this document:** All examples in this document must use +> SHA-pinned action references with a version comment (for example, `# v4`). +> This document is intended to be copy-safe and policy-compliant by default.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@standards/ci-standards.md` around lines 296 - 301, The note in the "Workflow Patterns by Tech Stack" paragraph contradicts the mandatory SHA policy; remove the sentence that permits tag-based references (e.g., "`@v4`") and replace it with a statement that all examples must use SHA-pinned action references or include an explicit reminder to look up and pin the current SHA before copying; update the "Note on examples in this document" text so it aligns with the "Required Workflows" rule that actions MUST be pinned to a specific commit SHA (refer to the "Workflow Patterns by Tech Stack" section and the "Required Workflows" rule).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@standards/ci-standards.md`:
- Around line 67-76: The "Language matrix by repo" table and other embedded
per-repo details in this standards doc (e.g., the table block starting with
"**Language matrix by repo:**" and the sections referenced at ranges 336-345 and
431-464) must be removed from the high-level standards file and moved into a
separate operational/implementation document (e.g.,
"ci-standards-operations.md"); update the standards doc to instead include a
single short pointer or link to that new operational document and add a brief
note that repo-specific mappings, secrets, gap matrices, and version-drift
tracking live in the operations file; ensure the new operational file contains
the original tables and per-repo details verbatim and include clear headers
(e.g., "Language matrix by repo", "Secrets by repo", "Gap matrix", "Version
drift tracking") so the mapping in the diff can be located and maintained.
---
Duplicate comments:
In `@standards/ci-standards.md`:
- Around line 296-301: The note in the "Workflow Patterns by Tech Stack"
paragraph contradicts the mandatory SHA policy; remove the sentence that permits
tag-based references (e.g., "`@v4`") and replace it with a statement that all
examples must use SHA-pinned action references or include an explicit reminder
to look up and pin the current SHA before copying; update the "Note on examples
in this document" text so it aligns with the "Required Workflows" rule that
actions MUST be pinned to a specific commit SHA (refer to the "Workflow Patterns
by Tech Stack" section and the "Required Workflows" rule).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: e2bf444a-187d-4224-8d3c-5e0790461d58
📒 Files selected for processing (1)
standards/ci-standards.md
- Change CodeQL schedule to Friday 12:00 PM EST (cron: 0 17 * * 5) - Replace repo-specific language matrix with rule: all ecosystems present in repo must be configured as CodeQL languages - Move SONAR_TOKEN to org-level secrets - Replace "Secrets by Repository" with "Organization-Level Secrets for Standard CI" — all standard secrets are org-inherited Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Apr 5, 2026
* docs: add GitHub repository settings standards Document the standard org and repo configurations including branch protection, rulesets, merge settings, required integrations, labels, and new-repo onboarding checklist. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address CodeRabbit review feedback - Improve merge settings rationale to clarify admin override purpose inline - Replace vague protect-branches description with specific ruleset details from the actual GitHub API configuration Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct settings values from API audit data - Fix org default permission to 'write' (not 'read') - Fix has_projects to 'true' (currently enabled on all repos) - Fix has_wiki to 'true' (enabled on most repos) - Fix squash commit message to COMMIT_MESSAGES (not PR body) - Fix broodly stack label (TypeScript + Go, not Rust) - Add installed GitHub Apps with dates from API audit - Add compliance status table showing per-repo deviations Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor: apply review feedback — rulesets, settings, and secrets - Change wiki to disabled, discussions to enabled - Change squash commit title to PR_TITLE - Replace classic branch protection with rulesets-first approach - Strengthen pr-quality ruleset: dismiss stale reviews, require last push approval, require code owner review - Abstract required checks into conditional code-quality ruleset (removes repo-specific names, uses condition-based check mapping) - Fix GitHub App secrets to reflect org-level inheritance - Update new-repo checklist and compliance status accordingly - Add migration note for classic → ruleset transition Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: require 2FA and align label onboarding checklist - Set two-factor requirement to Required (was Disabled) - Reference full standard label set in onboarding checklist Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: tighten org permission to read, make labels MUST - Change default repo permission to 'read' (least privilege) - Change labels from SHOULD to MUST for consistency with onboarding checklist Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor: make all quality checks required on all repos All five check categories (SonarCloud, CodeQL, Claude Code, CI, Coverage) are now universally required. Ecosystem-specific configuration varies by what languages/tools the repo contains — if an ecosystem is present, it must be configured in the relevant checks. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: remove ci-standards.md (belongs in PR #11, not this branch) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: consolidate secrets documentation, add CLAUDE_CODE_OAUTH_TOKEN - Split secrets into org-level and repo-level sections - Add CLAUDE_CODE_OAUTH_TOKEN to org secrets table - Add SONAR_TOKEN and GCP secrets to repo-level table - Align onboarding note with secrets sections Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: CodeQL rule-based, org-level secrets, remove repo-level section - CodeQL definition now focuses on rule: all ecosystems must be configured - Move SONAR_TOKEN to org-level secrets - Remove repo-level secrets section — all standard CI secrets are org-level - Simplify onboarding note Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix typo in repo-specific secrets note Correct typo in the note about repo-specific secrets. --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This was referenced Apr 5, 2026
This was referenced Apr 8, 2026
This was referenced Apr 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
What's Documented
Test plan
🤖 Generated with Claude Code
Summary by CodeRabbit