fix: pin dependency-audit reusable workflow to SHA

[don-petry]

Summary

• Pins the petry-projects/.github reusable workflow reference in dependency-audit.yml from the mutable @v1 tag to the resolved commit SHA ae9709f4466dec60a5733c9e7487f69dcd004e05 (v1)
• Satisfies the Action Pinning Policy compliance requirement

Closes #158

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 45 minutes and 35 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 45 minutes and 35 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e6df15d0-f634-42a7-a1f4-373a631361e0

📥 Commits

Reviewing files that changed from the base of the PR and between 32e618b and bb3c292.

📒 Files selected for processing (1)

• .github/workflows/dependency-audit.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-158-20260414-1122

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Pins the org-level reusable workflow reference in dependency-audit.yml to an immutable commit SHA to satisfy the action pinning compliance requirement (Issue #158).

Changes:

• Updated uses: petry-projects/.github/...@v1 to @ae9709f... (with an inline # v1 note).

[Copilot]

The header comment above says you "MUST NOT change" the uses: line, but this workflow now correctly updates uses: to a pinned SHA for compliance. Please update the header guidance to reflect that uses: should remain pinned to the approved SHA (and only be updated when syncing from the source-of-truth), otherwise future editors may revert this back to a mutable tag.

[don-petry]

Automated review — APPROVED

Risk: LOW
Reviewed commit: f8c6c1850abcab9cc26df4dbf17f510e99ea1eee
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

Single-line change pins a reusable workflow reference from the mutable @v1 tag to its resolved commit SHA (ae9709f4), satisfying the org action-pinning policy (closes #158). The SHA is confirmed correct via the GitHub API — it is exactly the commit the annotated v1 tag points to. All CI checks pass (CodeQL, SonarCloud, build, tests, AgentShield) with zero new issues.

Findings

Info

• .github/workflows/dependency-audit.yml:33 — SHA ae9709f4466dec60a5733c9e7487f69dcd004e05 verified against petry-projects/.github refs/tags/v1 — correct dereferenced commit.
• CI status — All status checks passed: CodeQL (actions, JS/TS, Python), SonarCloud (0 issues, 0 hotspots), build-and-test, Node.js Tests, Playwright UI Tests, AgentShield, Coverage, dependency-audit.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.