ci: pin dependency-audit reusable workflow to SHA (closes #87)

[don-petry]

Summary

Pin the dependency-audit-reusable.yml reusable workflow reference to its full commit SHA to satisfy the org-level action-pinning policy.

Change

-    uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1
+    uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@208ec2d69b75227d375edf8745d84fbac05a76b2 # v1

SHA 208ec2d69b75227d375edf8745d84fbac05a76b2 corresponds to tag v1 in petry-projects/.github, resolved via:

gh api repos/petry-projects/.github/git/refs/tags/v1 --jq '.object.sha'

Closes #87

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 44 minutes and 1 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 44 minutes and 1 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7e055380-95ba-4754-9973-4c7d82d2cd30

📥 Commits

Reviewing files that changed from the base of the PR and between bca8483 and 9b9bf9c.

📒 Files selected for processing (1)

• .github/workflows/dependency-audit.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-87-20260414-1244

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@don-petry — you're the CODEOWNERS owner for this repo. This PR pins the dependency-audit-reusable.yml reusable workflow to its full commit SHA (208ec2d69b75227d375edf8745d84fbac05a76b2 = v1) to resolve the compliance finding in issue #87. Please review and merge when CI is green.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Pins the org-level dependency-audit reusable workflow reference to an immutable commit SHA to comply with the action-pinning policy and resolve the compliance finding in #87.

Changes:

• Updated the reusable workflow reference from the mutable @v1 tag to the full commit SHA (@208ec2d...) with an inline # v1 annotation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Automated review — APPROVED

Risk: LOW
Reviewed commit: 5150bffe1500da98b5396eee824b77b7815c22ed
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

Single-line GitHub Actions workflow change that pins a reusable workflow reference from a mutable @v1 tag to an immutable commit SHA, improving supply chain security and satisfying the org action-pinning policy (issue #87). All CI checks pass (CodeQL, SonarCloud, AgentShield) with zero new issues or security hotspots. Triage escalated due to an internal triage failure, not actual content risk.

Findings

Info

• .github/workflows/dependency-audit.yml:33 — SHA 208ec2d69b75227d375edf8745d84fbac05a76b2 is asserted to correspond to tag v1 in petry-projects/.github; inline # v1 comment preserves human readability. This is the correct and recommended practice per CIS benchmark and SLSA supply chain guidelines.
• CI status: All required checks passed: CodeQL (actions), SonarCloud (Quality Gate passed, 0 new issues, 0 security hotspots), AgentShield, CI. Backend/Frontend CI correctly skipped — no application code changed.
• Triage escalation note: Triage tier produced invalid output (triage-output-invalid signal), causing automatic escalation. The PR content itself does not exhibit MEDIUM or HIGH risk characteristics.

CI status

All required checks passed (CodeQL, SonarCloud, AgentShield, CI). Backend/Frontend CI correctly skipped — no application code changed.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.