feat(compliance-audit): detect non-stub centralized workflow copies

[don-petry]

Summary

Closes the loop on the workflow centralization effort started in #87 (build reusables) and #88 (pin to v1, document tiers). Now that the canonical stubs exist and are versioned, the weekly compliance audit can detect when a downstream repo carries an inline copy or a stale @main/@v0 reference instead of the v1 stub.

What the check does

Adds check_centralized_workflow_stubs to scripts/compliance-audit.sh and wires it into the per-repo audit loop. For each Tier 1 workflow (claude.yml, dependency-audit.yml, dependabot-automerge.yml, dependabot-rebase.yml, agent-shield.yml, feature-ideation.yml):

• If the file is missing → no finding (already covered by check_required_workflows)
• If the file contains uses: petry-projects/.github/.github/workflows/<reusable>.yml@v1 → compliant
• If it references the reusable but with a different ref → "not pinned to @v1"
• If it references the reusable but the line is malformed → "uses: line does not match canonical stub"
• Otherwise → "is an inline copy — re-sync from standards/workflows/<file>"

The central .github repo is exempt because it owns the reusables.

Test plan

• bash -n and shellcheck clean
• Hand-fixture unit test in /tmp covering:
  • stub@v1 → no finding
  • stub@main → flagged with @v1 message
  • inline copy → flagged with inline message
  • missing file → no finding
• CI on this branch
• After merge: the next scheduled audit run will surface real findings across the 8 downstream repos that haven't yet adopted the v1 stubs — that's the input to the sweep work.

Why this matters

Without this check, the centralization is best-effort: a future agent could copy an old inline workflow into a new repo and nobody would notice until something broke. With it, drift is detected at the next audit run and surfaced as a remediation issue with a precise fix instruction (re-sync from the named template).

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added automated compliance validation for workflow configurations to ensure adherence to organizational standards.

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 4 minutes and 4 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 4 minutes and 4 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1d2faa79-fed3-40cd-9e62-b2091a13c7ac

📥 Commits

Reviewing files that changed from the base of the PR and between 6377c8a and da30f52.

📒 Files selected for processing (1)

• scripts/compliance-audit.sh

📝 Walkthrough

Walkthrough

Adds a new compliance check function check_centralized_workflow_stubs() to scripts/compliance-audit.sh that validates Tier-1 workflow files properly delegate to centralized reusable workflows using the canonical pattern uses: petry-projects/.github/.github/workflows/<reusable>.yml@v1.

Changes

Cohort / File(s)	Summary
Compliance Audit Check scripts/compliance-audit.sh	Added check_centralized_workflow_stubs() function that fetches and validates Tier-1 workflow files contain proper delegation patterns to centralized reusables. Reports specific findings for missing @v1 pinning, deviations from canonical stub, or inline copies. Integrated function call into main() after existing Claude workflow check.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat(workflows): pin reusable callers to @v1 and document tier model #88 — Introduces the stub workflow pattern and @v1 pinning requirements that this compliance check validates.
• feat: add weekly compliance audit workflow #12 — Introduces the scripts/compliance-audit.sh script that this PR extends with the new check function.
• feat: reusable Claude Code workflow with workflows write permission #77 — Creates a reusable workflow and implements the delegation pattern that the new compliance check validates.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main change: detecting non-stub centralized workflow copies is the primary purpose of the new check_centralized_workflow_stubs function added to the compliance audit script.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/compliance-audit-stub-detection

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/compliance-audit.sh`:
- Around line 524-525: The grep pattern used to test decoded for
"petry-projects/.github/.github/workflows/${reusable}" uses unescaped dots so
BRE's dot will match any character; update the check in
scripts/compliance-audit.sh that uses echo "$decoded" | grep -q
"petry-projects/.github/.github/workflows/${reusable}" to perform a literal
match (either escape the dots as \\.github or switch grep to fixed-string mode
with -F) so the path is matched exactly against the variable ${reusable}.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7f7dc496-5c21-4111-bb30-fafbe4b680c8

📥 Commits

Reviewing files that changed from the base of the PR and between 6ba1b56 and 6377c8a.

📒 Files selected for processing (1)

• scripts/compliance-audit.sh

[Copilot]

Pull request overview

This PR extends the weekly scripts/compliance-audit.sh to detect drift from the org’s Tier 1 “centralized workflow” model by checking that downstream repos use the canonical thin caller stubs pinned to @v1 (and flagging inline copies or non-@v1 refs).

Changes:

• Added check_centralized_workflow_stubs to validate Tier 1 workflow stubs reference petry-projects/.github reusables at @v1.
• Wired the new check into the per-repo audit loop in main().

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud