fix: pin dependabot-rebase reusable workflow to SHA (issue #157)

[don-petry]

Summary

• Pins petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml from the mutable tag @v1 to the immutable commit SHA ae9709f4466dec60a5733c9e7487f69dcd004e05 # v1
• Resolves the action-pinning compliance finding flagged by the weekly audit

Detail

The compliance audit (unpinned-actions-dependabot-rebase.yml) requires all uses: references to be pinned to a full commit SHA per the Action Pinning Policy.

SHA was resolved by dereferencing the annotated v1 tag:

gh api repos/petry-projects/.github/git/refs/tags/v1   → tag object 208ec2d…
gh api repos/petry-projects/.github/git/tags/208ec2d…  → commit ae9709f…

Note: The upstream template at petry-projects/.github/standards/workflows/dependabot-rebase.yml still uses @v1. A follow-up PR against the central repo would bring the template itself into compliance and prevent the finding from recurring in new repos.

Closes #157

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 43 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 51 minutes and 43 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: df47247a-1608-4f38-9a9b-50202e4041b7

📥 Commits

Reviewing files that changed from the base of the PR and between a13e964 and b8d80ec.

📒 Files selected for processing (1)

• .github/workflows/dependabot-rebase.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-157-20260414-1119

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@don-petry This PR is ready for your review. It pins the reusable workflow reference to the commit SHA to resolve the action-pinning compliance finding (#157).

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Pins the Dependabot rebase reusable workflow reference to an immutable commit SHA to satisfy the org’s action-pinning compliance policy and clear issue #157.

Changes:

• Updated .github/workflows/dependabot-rebase.yml to use a full commit SHA instead of the mutable @v1 tag for the reusable workflow.

[Copilot]

The header comments say this workflow should be adopted verbatim and that the uses: line MUST NOT be changed, but this PR intentionally changes it for action-pinning compliance. Consider updating the nearby header guidance to explicitly allow/require pinning the reusable workflow to an immutable SHA (or note that this repo intentionally diverges from the current upstream template) to reduce the chance of a future revert back to @v1.

[don-petry]

Automated review — APPROVED

Risk: LOW
Reviewed commit: b8d80ecbaba0ef83e328ab7187adb012ac898792
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

This PR pins a reusable workflow reference from the mutable @v1 tag to the immutable commit SHA ae9709f4466dec60a5733c9e7487f69dcd004e05, resolving action-pinning compliance finding #157. The change is a pure security improvement (supply-chain hardening), 1 line in a single file, and every CI check — CodeQL, SonarCloud (0 new issues, 0 hotspots), AgentShield, dependency audit, and all test suites — passed. Triage escalated only due to a system-level triage output failure, not any content-level concern.

Findings

Info

• [info] .github/workflows/dependabot-rebase.yml:43 — Correctly pins petry-projects/.github reusable workflow from mutable @v1 tag to immutable SHA ae9709f4466dec60a5733c9e7487f69dcd004e05; SHA derivation is documented in the PR body via gh api tag dereference.
• [info] followup-recommended — PR body notes the upstream template at petry-projects/.github still uses @v1; a follow-up PR to the central repo would prevent recurrence in new repos. Not a blocker for this PR.

CI status

All status checks passed: CodeQL (actions/js-ts/python), SonarCloud Quality Gate, AgentShield, CI Pipeline, Node.js Tests, Playwright UI Tests, Coverage, Dependency audit. No blocking failures.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[don-petry]

Superseded by #194 which adopts the full standard verbatim with the corrected SHA. Closing this stale PR.