feat: extend compliance audit with CI/automation health survey

[don-petry]

Summary

Replaces compliance-audit.yml with compliance-audit-and-improvement.yml, extending the existing weekly compliance audit with runtime health telemetry and a forward-looking best practices research phase.

Architecture

Job 1: Compliance Audit          Job 2: Health Survey
(deterministic shell script)     (runtime API telemetry)
        |                                |
        v                                v
   findings.json                  health-survey.json
        |                                |
        +----------------+---------------+
                         v
           Job 3: Analyze (Claude)
           6-phase analysis:
           1. Load data + standards
           2. Correlate & categorize
           3. Root cause & automation ideas
           4. Industry best practices
           5. Create issues
           6. Summary report
                         |
              +----------+----------+
              v          v          v
         Repo-specific  Org-wide   Standards
         issues         issues     proposals
         (in repo)      (.github)  (.github)
              + claude label on all

What's New

Job 2 — Health Survey

Collects live runtime telemetry across all org repos:

Signal	Source	Why
CI run failures (7d)	gh run list	Broken pipelines block work
Secret scanning alerts	Security API	Exposed credentials
Dependabot alerts	Security API	Known vulnerabilities
Code scanning alerts	Security API	Security issues
Stale PRs (7d+)	PR API	Drift and merge conflicts
Branch protection	Branch API	Unreviewed changes
Workflow inventory	Actions API	Missing or disabled workflows

Job 3 — Combined Analysis (6 Phases)

1. Load & Understand — read both datasets + org standards + existing open issues
2. Analyze & Categorize — correlate compliance gaps with health failures, assign severity
3. Research & Ideation — root cause analysis, automation to prevent recurrence
4. Industry Best Practices & Emerging Capabilities — evaluate the org against:
   • Security & supply chain integrity (SLSA, SBOM, attestation, push protection)
   • Agentic development guardrails (sandboxing, audit trails, policy gates, feedback loops)
   • Reliability & predictability (flakiness tracking, workflow SLOs, idempotency)
   • Developer experience & velocity (PR cycle time, inner loop speed, toil reduction)
   • Observability & continuous improvement (trend tracking, regression detection)
   • Output: standards proposals only — not implementation issues
5. Create Issues — repo-specific placement, claude label, deduplication
6. Summary Report — compliance + health scorecard, issues created, best practices assessment

Issue Rules

• Every issue gets the claude label for agent pickup
• Repo-specific issues go in that repo
• Org-wide issues and standards proposals go in .github
• Phase 4 creates only Standards: prefixed proposals with proposed standard, rationale, current gap, and implementation path
• Max 3 standards-improvement + 3 best-practices proposals per run
• Deduplicates against existing open issues

What's Unchanged

• Schedule: Friday 12:00 UTC
• Job 1: Deterministic compliance audit via scripts/compliance-audit.sh
• Artifact upload (90-day retention)
• dry_run and target_repo inputs
• Concurrency control

Test Plan

• Manual dispatch with dry_run: true — verify both jobs collect data, no issues created
• Manual dispatch targeting a single repo (target_repo input)
• Verify repo-specific issues land in the correct repo with claude label
• Verify org-wide issues land in .github with claude label
• Verify Phase 4 creates only Standards: proposals in .github
• Verify deduplication against existing open issues
• Confirm Friday cron trigger

Initial Survey Issues (2026-04-05)

Issue	Repo	Title
petry-projects/markets#56	markets	CRITICAL: Rotate exposed google_api_key
#28	.github	Branch protection gaps
#29	.github	Dependabot auto-merge broken
#30	.github	Compliance Audit GH_TOKEN broken
petry-projects/bmad-bgreat-suite#47	bmad-bgreat-suite	CodeQL setup conflict
petry-projects/broodly#72	broodly	CI Push API Image failing
#33	.github	Claude Code workflow PR failures
#34	.github	Node.js 20 deprecation audit
#35	.github	Automate compliance remediation
#36	.github	Dependabot major version review
#37	.github	Org profile README
petry-projects/broodly#73	broodly	Stale epic PR triage

All issues have the claude label.

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

Summary by CodeRabbit

• New Features
  • Added a consolidated weekly compliance & health audit workflow with manual trigger and dry-run option.
  • Produces consolidated compliance reports, health survey summaries, and a scored repo health report.
• Chores
  • Automates analysis of findings and summarizes actions, with outputs used to create notification issues (can be run without creating issues).

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 27 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 11 minutes and 27 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ad333e90-35a2-417a-95cb-15764c8cd235

📥 Commits

Reviewing files that changed from the base of the PR and between f0831cf and afd3af1.

📒 Files selected for processing (2)

• .github/workflows/compliance-audit-and-improvement.yml
• .github/workflows/compliance-audit.yml

📝 Walkthrough

Walkthrough

Added a new weekly GitHub Actions workflow that runs a repo compliance audit, collects cross-repo health telemetry, and invokes an AI analysis step to synthesize findings and optionally create routed issues; the prior single-file compliance workflow was removed.

Changes

Cohort / File(s)	Summary
New Workflow .github/workflows/compliance-audit-and-improvement.yml	Introduces a 3-job workflow (audit, health-survey, analyze) with weekly cron and manual dispatch inputs (target_repo, dry_run), concurrency, per-job permissions, artifact upload (compliance-report), and outputs exposing audit/health metrics.
Removed Workflow .github/workflows/compliance-audit.yml	Deleted legacy/composite compliance workflow that previously performed the audit and AI-driven standards review; replaced by the new consolidated workflow.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Scheduler as "GitHub Actions\nScheduler / Manual Dispatch"
    participant GH as "GitHub Actions\nRunner"
    participant AuditScript as "audit script\n(scripts/compliance-audit.sh)"
    participant API as "GitHub API / gh"
    participant ArtifactStore as "Artifacts"
    participant Claude as "Claude Code Action\n(anthropics/claude-code-action)"
    participant RepoIssues as "Target Repo\n(issues)"

    Scheduler->>GH: trigger workflow (cron / manual)
    GH->>AuditScript: run `audit` job (checkout .github, run script)
    AuditScript->>ArtifactStore: upload `compliance-report` artifact
    GH->>API: run `health-survey` job (collect telemetry per repo)
    API-->>GH: return health JSON report
    GH->>ArtifactStore: download audit artifact (if present) in `analyze`
    GH->>Claude: invoke analysis with audit + health JSON, dry_run input
    Claude-->>GH: return analysis & issue actions
    alt dry_run = false
        GH->>RepoIssues: create/update routed issues per analysis
    else dry_run = true
        GH-->>GH: produce analysis output only
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly related PRs

• feat: extend compliance audit with CI/automation health survey #13: Edits the same new workflow file (.github/workflows/compliance-audit-and-improvement.yml) and appears to add or adjust the three-job pipeline — strong overlap.
• feat: audit .github repo and add CLAUDE.md/AGENTS.md checks #14: Changes scripts/compliance-audit.sh, which is invoked by the new audit job — directly relevant to runtime behavior and findings.
• feat: add weekly compliance audit workflow #12: Implements a similar weekly compliance-audit pipeline (audit + AI analysis) and modifies related workflow logic — likely related in intent and structure.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: extending the compliance audit workflow with a new CI/automation health survey component.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/continuous-improvement-agent

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds an organization-level GitHub Actions workflow to periodically discover actionable PRs/issues across petry-projects and invoke a Claude Code agent to prioritize and work on a small set of items.

Changes:

• Introduces a scheduled + manually-dispatchable workflow (every 4 hours) with concurrency locking.
• Implements a discovery job that scans repos for open PRs/issues and produces a JSON “work manifest”.
• Adds an improvement job that runs anthropics/claude-code-action with a detailed operating prompt using the manifest.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 10

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/continuous-improvement.yml:
- Line 240: The workflow hard-codes the organization name ("petry-projects") in
git clone commands and similar places (e.g., the line containing "gh repo clone
petry-projects/<repo> /tmp/<repo>"); replace those hard-coded org strings with
the GitHub Actions context variable for the repository owner (use ${{
github.repository_owner }}) and apply the same replacement to all other
occurrences (lines referenced in the comment such as the other clone/URL usages)
so the workflow works for any org without manual edits.
- Line 398: The current dry-run relies on the agent following natural-language
instructions; to enforce it programmatically, split the existing improve job
into two jobs (e.g., improve-dry-run and improve-live) and gate them by
inputs.dry_run, ensure improve-dry-run sets permissions.contents: read only and
does only analysis steps (no Claude Code write steps), ensure improve-live has
write permissions (contents/pull-requests/issues/id-token) and contains the
Claude Code action and any push/PR/comment steps, and alternatively wrap the
Claude Code action and any write steps with an explicit conditional that checks
inputs.dry_run (skip when true) so no write operations are executed when dry_run
is enabled.
- Line 180: The workflow's job timeout is excessive and risks long blocking;
change the timeout-minutes value from 120 to 60 and update the agent's CI-wait
behavior so it does not block for long-running CI: implement a threshold (e.g.,
10 minutes) in the logic that handles the --watch/CI polling loop and, if
exceeded, have the agent stop waiting and leave a comment on the PR instead of
continuing to wait; update any relevant steps referring to the Claude Code
action and the --watch loop to document and enforce this new timeout/threshold
behavior.
- Around line 298-303: Replace the blocking `gh pr checks <number> --watch
--fail-level all` usage with a non-blocking poll: run `sleep 30` then use `gh pr
checks <number> --repo petry-projects/<repo> --json name,state` in a loop that
re-checks every 30s up to a timeout (e.g., 10 minutes); if checks are still
pending after the timeout, stop waiting, post a PR comment with the current CI
states, and move on; if a failure is observed, retry at most once for the item
before posting results and continuing.
- Around line 345-365: The workflow currently instructs the agent to run "gh pr
create" automatically, which can create unsolicited PRs; change the CI job/step
that invokes the gh pr create command so it defaults to a dry-run mode and
requires explicit human confirmation before creating a PR (e.g., add a
conditional that only runs the "gh pr create" step when a workflow input or
repository secret like CONFIRM_CREATE_PR is set, and otherwise posts a comment
on the corresponding issue describing the proposed changes), and update the step
name that performs PR creation to clearly reflect "dry-run" vs "create" modes so
maintainers can validate output before any PR is opened.
- Line 394: Update the "Respect existing work." rule that currently checks for
author activity within the last 24h: change the inactivity window to a shorter
span (6–12 hours) and add an additional recent-update guard that skips automated
pushes if the PR was updated within the last 4 hours; implement these checks in
the discovery phase or at the start of Phase 2 so the agent first evaluates both
last-commit timestamp and last-PR-update timestamp before deciding to push
changes, and update the human-facing rule text to reflect the new windows.
- Around line 236-266: The workflow currently instructs the agent to directly
commit and push fixes in the "If the PR has unresolved comments" and "If the PR
has failing CI" checklist items (the blocks starting with "If the PR has
unresolved comments" and "If the PR has failing CI"); change these to prevent
unconsented pushes by: replace the direct "Make the requested changes... Push
the changes to the PR branch" and "Fix the root cause... Commit and push the
fix" language with steps that (1) always leave detailed review comments and
suggested patches, (2) only perform commits/pushes when the PR author explicitly
requests fixes (e.g., a trigger like "@agent please fix"), and (3) if making
changes, prefer creating a new branch and opening a separate PR against the
original branch (or verify write access to the fork before attempting any push);
also add a check to verify branch ownership/fork write permissions before any
automated push.
- Around line 89-99: The GraphQL query assigned to UNRESOLVED uses
reviewThreads(first: 50) which can miss threads when a PR has >50 threads;
update the logic in the workflow to paginate reviewThreads using
pageInfo/endCursor (or increase to a safe max like first: 100 if acceptable) and
loop requests until pageInfo.hasNextPage is false, aggregating nodes and
computing the unresolved count; look for the UNRESOLVED assignment and the
reviewThreads(first: 50) fragment to modify the query and the surrounding shell
logic to collect all pages before computing the final length.
- Line 121: The jq label-filter currently uses
any(test("help|bug|enhancement|good first issue|scorecard|compliance")) which
does substring matching and can match unintended labels; replace that part of
the expression (the select(... .labels | map(.name) | any(test(...)) ...)) with
either anchored regexes like any(test("^(help|bug|enhancement|good first
issue|scorecard|compliance)$")) or, preferably, explicit equality checks e.g.
any(. == "help" or . == "bug" or . == "enhancement" or . == "good first issue"
or . == "scorecard" or . == "compliance") so only exact label names are matched.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8dcd0949-44d1-4980-9e5a-871605e8df3b

📥 Commits

Reviewing files that changed from the base of the PR and between b7f6e7d and a5aebe7.

📒 Files selected for processing (1)

• .github/workflows/continuous-improvement.yml

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/compliance-audit-and-improvement.yml:
- Around line 213-216: The current steps build REPORT from REPORT_FILE and write
it into GITHUB_OUTPUT via REPORT and REPORT_EOF which risks hitting output size
limits; instead write the normalized JSON into a dedicated file (e.g.,
health-survey-report.json) and use the actions/upload-artifact action (or
equivalent artifact upload) to publish that file as the health survey report
artifact; update the workflow to remove the echo to GITHUB_OUTPUT
(REPORT/REPORT_EOF) and add an upload-artifact step that references the
generated file so large reports are handled robustly.
- Line 126: Replace the subshell sed invocation that sets REPOS from TARGET_REPO
with bash parameter expansion to remove the "$ORG/" prefix; update the
assignment that references REPOS and TARGET_REPO (and ORG) to use parameter
expansion (strip the "$ORG/" prefix from TARGET_REPO) instead of echo|sed so the
linter SC2001 is satisfied and no external command is invoked.
- Around line 185-202: The current inline Python script embeds shell variables
directly (e.g., $REPO, $FULL_REPO, $BRANCH_PROTECTION, $WORKFLOWS) which is
fragile and can break on quotes; change the step to export those values as
environment variables and have the Python snippet read them from os.environ (or
write JSON payloads like BRANCH_PROTECTION/WORKFLOWS to temp files and read them
in Python) before loading REPORT_FILE and appending the repo entry; update the
code that builds the JSON to use json.loads(os.environ['BRANCH_PROTECTION']) and
json.loads(os.environ['WORKFLOWS']) (or file reads) and keep REPORT_FILE as the
path passed into the script so no direct shell-to-Python string interpolation
occurs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3e2bcc0f-290f-46a5-a7f1-cd560c903cdd

📥 Commits

Reviewing files that changed from the base of the PR and between a5aebe7 and f0831cf.

📒 Files selected for processing (1)

• .github/workflows/compliance-audit-and-improvement.yml

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud