ci: pin agent-shield reusable workflow to SHA

[don-petry]

Summary

• Pin petry-projects/.github/.github/workflows/agent-shield-reusable.yml from @v1 to @ae9709f4466dec60a5733c9e7487f69dcd004e05 # v1
• Resolves the action-pinning compliance finding raised by the weekly audit

Changes

.github/workflows/agent-shield.yml: replaced @v1 tag reference with the corresponding commit SHA (ae9709f4466dec60a5733c9e7487f69dcd004e05), keeping # v1 as a human-readable comment per org convention.

The SHA was resolved by dereferencing the annotated tag:

• Tag object: 208ec2d69b75227d375edf8745d84fbac05a76b2
• Commit SHA: ae9709f4466dec60a5733c9e7487f69dcd004e05

Closes #154

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow configuration to use pinned dependency reference for enhanced stability and reproducibility.

[don-petry]

@don-petry This PR is ready for your review and merge. It pins the agent-shield-reusable.yml reusable workflow to a commit SHA to resolve the action-pinning compliance finding in #154.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4b041a3b-19e4-4c17-8879-99ae4ccbb0db

📥 Commits

Reviewing files that changed from the base of the PR and between a13e964 and 47e53c3.

📒 Files selected for processing (1)

• .github/workflows/agent-shield.yml

---

📝 Walkthrough

Walkthrough

The .github/workflows/agent-shield.yml workflow file is updated to pin the reusable workflow reference from a floating version tag (@v1) to a specific commit SHA (@ae9709f4466dec60a5733c9e7487f69dcd004e05) for compliance with action-pinning policy requirements.

Changes

Cohort / File(s)	Summary
Workflow Reference Pinning .github/workflows/agent-shield.yml	Pin petry-projects/.github/.github/workflows/agent-shield-reusable.yml reference from floating tag @v1 to commit SHA @ae9709f4466dec60a5733c9e7487f69dcd004e05 for compliance.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related issues

• Compliance: unpinned-actions-agent-shield.yml #154: This PR directly resolves the compliance finding by pinning the unpinned agent-shield-reusable.yml action reference to a specific commit SHA as required by the action-pinning policy.

Possibly related PRs

• feat(ci): add required agent-shield.yml workflow #146: Both PRs modify .github/workflows/agent-shield.yml; the referenced PR introduces the workflow with the reusable reference, and this PR updates it to pin the reference to a commit SHA.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: pinning the agent-shield reusable workflow reference from @v1 tag to a specific commit SHA.
Linked Issues check	✅ Passed	The code change directly addresses issue #154 by pinning the agent-shield reusable workflow to commit SHA ae9709f4466dec60a5733c9e7487f69dcd004e05, fulfilling the action-pinning compliance requirement.
Out of Scope Changes check	✅ Passed	All changes are scoped to the stated objective; only the agent-shield workflow reference was updated from @v1 tag to pinned SHA with no extraneous modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-154-20260414-1111

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Pins the AgentShield reusable workflow reference to an immutable commit SHA to satisfy the org action-pinning compliance requirement and close the related audit finding (#154).

Changes:

• Updated .github/workflows/agent-shield.yml to use a full commit SHA instead of the @v1 tag for the reusable workflow reference.

[Copilot]

The header comment states this stub "MUST NOT change" the uses: line and that the source of truth lives in petry-projects/.github/standards/workflows/agent-shield.yml, but this PR intentionally changes uses: to a pinned SHA. To avoid confusing future editors (and potential drift from the upstream standard), consider updating the header guidance to explicitly allow updating the ref for pinning, and/or syncing this change back to the upstream source-of-truth workflow.

[don-petry]

Automated review — APPROVED

Risk: LOW
Reviewed commit: 47e53c3ee0aa99c6c3416ade34b81d480c1e35b3
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

This PR pins the agent-shield reusable workflow from a mutable @v1 tag to a specific commit SHA, which is a security best-practice improvement that prevents supply-chain attacks via tag mutation. All CI checks (CodeQL, SonarCloud, AgentShield, Node.js tests, Playwright, dependency audit) are green. The change is exactly one line in one workflow file with no logic impact.

Findings

Info

• .github/workflows/agent-shield.yml:33 — Pinning reusable workflow to commit SHA (ae9709f4466dec60a5733c9e7487f69dcd004e05) instead of mutable tag @v1 is the recommended GitHub Actions supply-chain hardening pattern. Change is correct and beneficial.
• CI status: All status checks passed: CodeQL (actions, JS/TS, Python), SonarCloud, AgentShield, build-and-test, coverage, Node.js Tests, Playwright UI Tests, dependency audit (npm). mergeStateStatus is BLOCKED but mergeable is MERGEABLE — likely awaiting a required human review approval, not a code issue.

CI status

All CI checks green. mergeStateStatus is BLOCKED (awaiting required human review approval) but code is MERGEABLE.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.