fix: add GH_TOKEN preflight check to compliance-audit.sh

[claude]

Summary

Adds an early-exit preflight check at the top of main() in scripts/compliance-audit.sh that fails fast with clear, actionable error messages when authentication isn't configured correctly.

Changes

scripts/compliance-audit.sh — added at the top of main():

# Preflight: verify GH_TOKEN is set and gh CLI is authenticated
if [ -z "${GH_TOKEN:-}" ]; then
  echo "::error::GH_TOKEN is not set. Ensure ORG_SCORECARD_TOKEN secret is configured and passed as an env var to this step." >&2
  exit 1
fi
if ! gh auth status >/dev/null 2>&1; then
  echo "::error::gh auth failed — GH_TOKEN is set but authentication did not succeed. Check that ORG_SCORECARD_TOKEN is valid and has repo + read:org scopes." >&2
  exit 1
fi

Previously, auth failures manifested deep in the script as cryptic gh CLI errors rather than a clear authentication failure message.

Required manual change (workflow file)

The Claude GitHub App lacks the workflows permission and cannot modify .github/workflows/. To fully resolve the root cause, apply this one-line change manually to .github/workflows/compliance-audit-and-improvement.yml:

In the Run compliance audit step (job audit), add GH_TOKEN explicitly at the step level:

      - name: Run compliance audit
        id: audit
        env:
          GH_TOKEN: ${{ secrets.ORG_SCORECARD_TOKEN }}   # ← add this line
          REPORT_DIR: ${{ runner.temp }}/compliance-report
          DRY_RUN: ${{ inputs.dry_run || 'false' }}
          CREATE_ISSUES: 'true'

Also verify ORG_SCORECARD_TOKEN is set in Settings → Secrets with repo + read:org scopes.

Closes #30

Generated with Claude Code

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud