fix: pin dependency-audit reusable workflow to SHA

[don-petry]

Summary

• Pins the reusable workflow reference from @v1 to commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to satisfy the Action Pinning Policy.

Before:

uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1

After:

uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1

The SHA was resolved from the v1 tag via gh api repos/petry-projects/.github/git/refs/tags/v1.

Closes #158

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated workflow dependency reference for improved build reproducibility and stability.

[don-petry]

This PR is ready for review and merge. @don-petry — you are the code owner, could you please review and merge this to close the compliance finding in issue #158? This is a single-line change pinning the reusable workflow SHA.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 512b061f-e401-4d8f-87ae-0721a57a2244

📥 Commits

Reviewing files that changed from the base of the PR and between 92719c9 and 392499c.

📒 Files selected for processing (1)

• .github/workflows/dependency-audit.yml

---

📝 Walkthrough

Walkthrough

Updated the reusable GitHub Actions workflow reference in .github/workflows/dependency-audit.yml from version tag @v1 to a pinned commit SHA to comply with action-pinning policy requirements.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/dependency-audit.yml	Pinned reusable workflow reference from dependency-audit-reusable.yml@v1 to commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to enforce action-pinning compliance.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related issues

• Compliance: unpinned-actions-dependency-audit.yml #158: This PR directly addresses the compliance finding by pinning the unpinned reusable workflow action reference to a specific commit SHA, resolving the action-pinning policy violation.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: pinning the dependency-audit reusable workflow reference from a tag to a specific commit SHA.
Linked Issues check	✅ Passed	The pull request successfully addresses issue #158 by pinning the unpinned dependency-audit-reusable.yml workflow reference to a specific commit SHA per the Action Pinning Policy.
Out of Scope Changes check	✅ Passed	All changes are directly related to the linked issue #158; only the workflow reference was updated from @v1 tag to the pinned commit SHA with no unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-158-20260419-2333

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Pins the dependency-audit reusable workflow reference to a specific commit SHA to satisfy the organization’s GitHub Actions pinning policy (closes #158).

Changes:

• Replace @v1 with a commit SHA for petry-projects/.github/.github/workflows/dependency-audit-reusable.yml.
• Add an inline # v1 note to preserve the semantic version context.

[Copilot]

The header comment says you "MUST NOT change ... the uses: line", but this PR necessarily changes it to comply with the action pinning policy. Consider updating that guidance to reflect the intended maintenance process (e.g., uses should be pinned to a commit SHA, and only the SHA may be updated when the reusable workflow/tag advances) so future edits aren’t blocked by contradictory instructions.