fix(compliance-audit): eliminate false positives + apply API-based fixes

[don-petry]

Summary

Addresses all actionable findings from the 2026-04-09 compliance audit (issue #119).

Changes in this PR

scripts/compliance-audit.sh — three false-positive fixes:

• Dependabot YAML quote style — old grep patterns required "double-quoted" YAML values for ecosystem names and labels; YAML permits both styles. Patterns updated to accept 'single-quoted' as well. This resolves the missing-github-actions-ecosystem, missing-security-label, and missing-dependencies-label findings for google-app-scripts (whose dependabot.yml uses single quotes).

• Reusable workflow permissions — the permissions check now skips workflow_call-only workflows (*-reusable.yml). Reusable workflows inherit permissions from their caller, so requiring a top-level permissions: block in them was incorrect. This resolves the four missing-permissions-*-reusable.yml findings for the .github repo.

• AGENTS.md org reference — the check now accepts GitHub blob URLs (petry-projects/.github/blob/<branch>/AGENTS.md) in addition to the canonical path format (.github/AGENTS.md in link text). Both unambiguously point to the org-level standards file. This resolves agents-md-missing-org-ref for ContentTwin and markets.

API-based fixes applied directly (no file changes required)

These were applied via the GitHub API as part of this remediation and will show as compliant in the next audit run:

Fix	Repos
CodeQL default setup enabled	markets, google-app-scripts, ContentTwin, broodly, bmad-bgreat-suite, TalkTerm
pr-quality ruleset created	.github, google-app-scripts
code-quality ruleset created	.github, google-app-scripts

Remaining open items (require GH_PAT_WORKFLOWS secret or manual action)

The following findings affect .github/workflows/*.yml files in various repos. GitHub App tokens cannot write to workflow files without the workflows scope (GH_PAT_WORKFLOWS secret). These must be fixed manually or via a PAT-enabled run:

• SHA pinning — unpinned-actions-*.yml across all repos
• Stray codeql.yml files — these per-repo workflow files should be removed now that GitHub-managed CodeQL default setup is enabled; the check stray-codeql-workflow will clear once removed
• Missing ci.yml — TalkTerm needs a CI pipeline added
• required-claude-check-broken — TalkTerm ruleset references a check that no longer exists

Closes #119

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Improved compliance audit parsing to handle quoted ecosystem names more flexibly, and to extract relevant config blocks more reliably.
  • Relaxed label detection to recognize security/dependencies labels with single or double quotes.
  • Exempted reusable workflow files from top-level permissions enforcement to reduce false positives.
  • Broadened AGENTS.md validation to accept org-level or various repository references.

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 23 minutes and 54 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 23 minutes and 54 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4bffd6d7-4460-4b24-987f-a4c25d015fa0

📥 Commits

Reviewing files that changed from the base of the PR and between 745825a and 9d5c4e7.

📒 Files selected for processing (1)

• scripts/compliance-audit.sh

📝 Walkthrough

Walkthrough

Updated the compliance audit script to parse Dependabot ecosystems and labels with quote-flexible regex, adjust ecosystem block extraction, exempt reusable *-reusable.yml workflows from top-level permissions checks, and broaden AGENTS.md validation to accept relative paths or org-level GitHub blob URLs.

Changes

Cohort / File(s)

Summary

Compliance Audit Script scripts/compliance-audit.sh

Refined Dependabot YAML parsing to accept single- or double-quoted package-ecosystem and app ecosystems; adjusted awk heuristics to extract ecosystem blocks without requiring double quotes; made required-label detection accept single- or double-quoted security/dependencies; skip permission findings for *-reusable.yml/.yaml files; accept .github/AGENTS.md or org-level GitHub blob URL references in AGENTS.md check.

Sequence Diagram(s)

(omitted — changes are script logic tweaks within a single component)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• enhancement: Automate remediation of recurring compliance-audit findings #35: Changes touch Dependabot parsing and security/dependencies label detection, directly addressing the missing label findings referenced.
• Compliance audit — 2026-04-09 #122: Modifies Dependabot, workflow-permissions, and AGENTS.md checks — aligns with the findings tracked in that compliance audit issue.

Possibly related PRs

• feat: audit .github repo and add CLAUDE.md/AGENTS.md checks #14: Alters check_agents_md in the same script; strongly related to the AGENTS.md matching changes.
• feat(compliance-audit): detect non-stub centralized workflow copies #89: Addresses reusable-workflow handling in compliance checks; related to the *-reusable.yml permissions exemption.
• feat: add weekly compliance audit workflow #12: Updates the same compliance-audit script for Dependabot and workflow permission behavior; directly related.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: fixing compliance audit script to eliminate false positives and applying API-based fixes.
Linked Issues check	✅ Passed	The PR successfully addresses coding requirements from issue #119: fixing Dependabot YAML quote handling, reusable workflow permissions checks, and AGENTS.md org references.
Out of Scope Changes check	✅ Passed	All changes in scripts/compliance-audit.sh are directly scoped to fix false positives identified in issue #119; no unrelated modifications detected.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-119-20260409-1218

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@don-petry — this PR fixes the false positives in the compliance audit script identified in issue #119, plus applies API-based fixes (CodeQL setup and rulesets). Please review and merge when ready.

[Copilot]

Pull request overview

This PR updates the org compliance audit script to reduce false positives and align checks with how the standards are applied across repositories.

Changes:

• Relaxed Dependabot YAML matching to accept single-quoted ecosystem names and labels.
• Updated workflow permissions auditing to skip workflow_call-only reusable workflows.
• Expanded AGENTS.md org-reference detection to accept GitHub blob-style URLs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/compliance-audit.sh`:
- Around line 793-797: The grep regex that checks $decoded currently uses
"petry-projects/\.github/blob/[^/]+/AGENTS\.md" which rejects branch names
containing slashes; update the pattern used in the if test to allow any
characters (including slashes) between "blob/" and "/AGENTS.md" (for example
replace the "[^/]+” segment with ".+"), i.e. adjust the grep -qE pattern that
references $decoded so it matches "petry-projects/\.github/blob/.+/AGENTS\.md"
while keeping the existing "\.github/AGENTS\.md" alternative.
- Around line 489-494: Replace the brittle on: extraction and whitelist logic
(the on_triggers variable computed from decoded and the subsequent grep checks)
with a simple filename-based check: detect reusable workflows by testing the
workflow file name for the suffix -reusable.yml or -reusable.yaml (i.e., if
filename ends with -reusable.yml or -reusable.yaml then treat as reusable and
continue), and remove the awk/grep on_triggers logic that inspects decoded to
avoid inline syntax and missing-trigger edge cases. Ensure you use the existing
loop's filename variable (the variable used to hold the current workflow file)
in the new check and delete the on_triggers and related grep blocks.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d2c157b5-1dce-42ee-bcac-c465efa4a097

📥 Commits

Reviewing files that changed from the base of the PR and between a3e9658 and 42fdee0.

📒 Files selected for processing (1)

• scripts/compliance-audit.sh

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/compliance-audit.sh`:
- Around line 249-256: The awk block extraction uses an unquoted pattern that
can falsely match substrings (e.g., "pnpm" when eco=npm); update the awk pattern
used in the block assignment (the command that builds variable `block` using awk
"/package-ecosystem:.*$eco/{...}") to require the ecosystem name to be quoted
the same way as the earlier grep (match either double-quoted or single-quoted
"$eco"/'$eco') and ensure the exit condition `!/$eco/` is changed to use the
same quoted-aware match so the block stops at the next ecosystem entry
correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6b30d569-1452-40c6-b9b3-ae85c7e3a683

📥 Commits

Reviewing files that changed from the base of the PR and between 42fdee0 and 745825a.

📒 Files selected for processing (1)

• scripts/compliance-audit.sh

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud