fix(ci): remediate .github compliance findings — 2026-04-17 audit

[don-petry]

Summary

Addresses all 7 compliance findings for the .github repository from the 2026-04-17 audit (issue #146).

SHA Pinning (3 error findings fixed)

• claude.yml: pinned reusable workflow reference from @main → SHA (ae9709f... = v1)
• agent-shield.yml: pinned reusable workflow reference from @v1 tag → SHA
• dependency-audit.yml: replaced full inline workflow with canonical thin caller stub per standards/workflows/dependency-audit.yml template — this eliminates the unpinned dtolnay/rust-toolchain@stable reference (logic now lives in the centralized reusable)

Secret Scan CI Job (1 error finding fixed)

• ci.yml: added secret-scan job using gitleaks/gitleaks-action@ff98106... (v2.3.9) with full-history checkout per standards/push-protection.md template

API-Applied Settings (3 findings fixed directly)

• ✅ CodeQL default setup enabled (codeql-default-setup-not-configured) — triggered run #24189208962
• ✅ allow_auto_merge=true applied (allow_auto_merge warning)
• ✅ delete_branch_on_merge=true applied (delete_branch_on_merge warning)

Not Actionable

• security_and_analysis_unavailable (2 warnings) — GitHub Advanced Security features require an org plan upgrade; not addressable at the workflow level

Test plan

• CI passes on this PR (lint, shellcheck, actionlint, agent-security, secret-scan)
• Verify CodeQL default setup shows as "Configured" in repo Settings → Code security
• Verify repo settings show allow_auto_merge and delete_branch_on_merge enabled
• Next weekly compliance audit shows 0 findings for .github repo

Closes #146

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 49 minutes and 7 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 49 minutes and 7 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3da1676a-0ca8-4f0e-b2b8-6c2ac374cc73

📥 Commits

Reviewing files that changed from the base of the PR and between 9a694e5 and d8c114a.

📒 Files selected for processing (4)

• .github/workflows/agent-shield.yml
• .github/workflows/ci.yml
• .github/workflows/claude.yml
• .github/workflows/dependency-audit.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-146-20260417-1337

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Remediates the 2026-04-17 compliance audit findings for the .github repo by tightening GitHub Actions SHA pinning, centralizing dependency-audit logic into the org reusable workflow, and adding a CI secret-scanning job.

Changes:

• Converted dependency-audit.yml from an inline workflow into a thin caller stub that delegates to the org reusable workflow.
• SHA-pinned Tier-1 stub workflow uses: references (claude.yml, agent-shield.yml, dependency-audit.yml).
• Added secret-scan CI job using gitleaks/gitleaks-action with full-history checkout.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File	Description
.github/workflows/dependency-audit.yml	Replaced inline audit implementation with reusable-workflow caller and added “thin stub” header block.
.github/workflows/claude.yml	Pinned reusable workflow reference from branch/tag to commit SHA.
.github/workflows/ci.yml	Added secret-scan job running gitleaks with fetch-depth: 0.
.github/workflows/agent-shield.yml	Pinned reusable workflow reference from tag to commit SHA.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This stub claims standards/workflows/dependency-audit.yml as the “SOURCE OF TRUTH”, but that template currently uses @v1 (tag) while this file pins the reusable to a commit SHA. Please reconcile this by updating the standards template (and any related docs) to match the SHA-pinning requirement, otherwise future “copy verbatim” adoptions will drift and/or fail the compliance audit.

[Copilot]

standards/ci-standards.md describes Tier-1 stub workflows as delegating to reusables via ...@v1, and standards/workflows/claude.yml also uses @v1. This stub is now SHA-pinned instead, which creates a standards/templates mismatch. Please update the standards template/docs (or the audit exemption rules) so adopters can still “copy verbatim” without creating drift.

Suggested change

	uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@ae9709f4466dec60a5733c9e7487f69dcd004e05 # v1
	uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@v1

[Copilot]

standards/ci-standards.md and standards/workflows/agent-shield.yml currently define the Tier-1 stub as calling the reusable via ...@v1. This file now pins to a SHA, which means the “SOURCE OF TRUTH” template and documentation are out of sync with what compliance requires. Please reconcile by updating the standards template/docs (or the audit script) so downstream repos can adopt verbatim without failing audits.

[Copilot]

The checkout SHA comment and the “Look up current SHA” command disagree: it says to query refs/tags/v4, but the pinned version comment is # v6.0.2. Please update the lookup command (and/or version comment) so maintainers don’t fetch the wrong ref when refreshing the pin.

Suggested change

	# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'
	# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v6.0.2 --jq '.object.sha'

[Copilot]

The header’s “Standard:” link looks incorrect (#5-...dependency-auditym doesn’t match the actual “### 6. Dependency Audit (dependency-audit.yml)” section in standards/ci-standards.md). Please update this anchor so the reference is accurate and doesn’t 404/mislead future adopters.

Suggested change

	# Standard: petry-projects/.github/standards/ci-standards.md#5-dependency-audit-dependency-auditym
	# Standard: petry-projects/.github/standards/ci-standards.md#6-dependency-audit-dependency-audityml

[don-petry]

Automated review — APPROVED

Risk: LOW
Reviewed commit: d8c114a523f064c3c1aedb41468faaaf93f11fc8
Cascade: triage → audit (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

All code changes are verified security improvements. SHA pins for reusable workflows resolve to the correct v1 annotated tag commit (ae9709f). The gitleaks binary checksum (cb49b7de...) matches the official v8.24.0 release. The two CI failures are non-security: claude-code/claude is self-referential (the review bot workflow reviewing its own modification), and the SonarCloud Security Hotspot is almost certainly the well-mitigated curl+tar+checksum-verify pattern for binary installation.

Findings

Minor

• [minor] .github/workflows/ci.yml:113 — SonarCloud Quality Gate failed with 1 Security Hotspot. Without dashboard access, this is most likely the curl+tar binary download pattern in the gitleaks install step. This pattern is properly mitigated with SHA256 checksum verification against the official release. Recommend reviewing and marking as 'Safe' in SonarCloud.

Info

• [info] (supply-chain) — Reusable workflow SHA ae9709f verified: annotated tag v1 (tag object 208ec2d6) points to this commit. Used consistently across claude.yml, agent-shield.yml, and dependency-audit.yml.
• [info] .github/workflows/ci.yml:108 (supply-chain) — actions/checkout SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd verified against GitHub API as v6.0.2. Comment label is correct.
• [info] .github/workflows/ci.yml:118 (supply-chain) — Gitleaks v8.24.0 SHA256 checksum cb49b7de5ee986510fe8666ca0273a6cc15eb82571f2f14832c9e8920751f3a4 verified against official gitleaks_8.24.0_checksums.txt (release asset ID 230829272). Download-verify-execute pattern is properly implemented.
• [info] .github/workflows/ci.yml:100 (permissions) — secret-scan job permissions are minimal: contents: read only. No write permissions, no token exposure in steps.
• [info] .github/workflows/claude.yml (ci-gate) — claude-code/claude CI check failed. This is the Claude Code review workflow itself — failure is self-referential (the workflow file being reviewed is the one that defines this check). Not a security concern.
• [info] .github/workflows/dependency-audit.yml (operational) — dependency-audit.yml thin stub changes the required status check job name from 'Detect ecosystems' to 'dependency-audit / Detect ecosystems'. Branch protection rules should be updated to match the new name.
• [info] .github/workflows/ci.yml:108 (correctness) — Old dependency-audit.yml had actions/checkout SHA de0fac2e labeled '# v4' — this was a mislabeled comment (SHA is actually v6.0.2). The PR removes this mislabeled code entirely. New ci.yml correctly labels the same SHA as '# v6.0.2'.

CI status

Two CI failures noted, both non-blocking from a security perspective:

• claude-code/claude: Self-referential (this review bot checking its own workflow modification)
• SonarCloud: 1 Security Hotspot flagged on the curl+tar+checksum pattern — properly mitigated; recommend marking Safe in SonarCloud dashboard

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push