ci: pin dependency-audit reusable workflow to SHA (closes #87)

[don-petry]

Summary

• Pin dependency-audit-reusable.yml reusable workflow reference from @v1 to its full commit SHA to satisfy the org-level action-pinning policy.

Change

# Before
uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1

# After
uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1

SHA was resolved via gh api repos/petry-projects/.github/git/refs/tags/v1.

The # v1 comment is retained for human readability.

Closes #87

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configuration to pin the dependency audit workflow to a specific version for improved stability and reproducibility.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fcf13dd8-af28-4034-b600-251f9292ade3

📥 Commits

Reviewing files that changed from the base of the PR and between f9d9937 and 7808f77.

📒 Files selected for processing (1)

• .github/workflows/dependency-audit.yml

---

📝 Walkthrough

Walkthrough

This PR pins a reusable GitHub Actions workflow reference in .github/workflows/dependency-audit.yml from a floating version tag (@v1) to a specific commit SHA (@ee22b427cbce9ecadcf2b436acb57c3adf0cb63d), resolving a compliance finding for unpinned action dependencies.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/dependency-audit.yml	Pinned reusable workflow reference from floating tag @v1 to specific commit SHA for action pinning compliance.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: pinning the dependency-audit reusable workflow to a commit SHA, and directly references the closed issue #87.
Linked Issues check	✅ Passed	The pull request successfully addresses issue #87 by pinning the unpinned action reference to a commit SHA, bringing the workflow into compliance with the organization's action-pinning policy.
Out of Scope Changes check	✅ Passed	The pull request contains only the minimal required change to address the compliance issue: updating the workflow reference from a tag to a commit SHA.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-87-20260419-1833

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@don-petry — this PR pins the dependency-audit-reusable.yml reusable workflow to its full commit SHA to resolve the action-pinning compliance finding in issue #87. Single-line change, SHA verified via gh api. Ready for your review and merge.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Pins the dependency-audit reusable workflow callsite to an immutable commit SHA to comply with the org action-pinning policy (remediating issue #87).

Changes:

• Update .github/workflows/dependency-audit.yml to reference petry-projects/.github reusable workflow by full commit SHA instead of @v1.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The header comment says editors "MUST NOT change ... the uses: line", but this workflow now requires updating the uses: ref (SHA) over time to stay current/compliant. Consider tweaking the guidance to something precise like “do not change the workflow path/job name; only update the pinned ref when bumping versions,” to avoid misleading future edits.

[don-petry]

Automated review — APPROVED

Risk: LOW
Reviewed commit: 7808f77c9924c942e00b769f68bc97bb43467502
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

Single-line change pinning a reusable workflow reference from a floating tag (@v1) to a full commit SHA, satisfying the org-level action-pinning policy and closing issue #87. All CI checks pass (CodeQL, SonarCloud, AgentShield, CodeRabbit); no new issues or security hotspots detected.

Findings

Info

• [info] .github/workflows/dependency-audit.yml:33 — SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d was resolved per the PR description via gh api repos/petry-projects/.github/git/refs/tags/v1. Cannot independently verify the SHA without access to the upstream repo, but the derivation is documented and auditable.

CI status

All checks green (CodeQL, SonarCloud, AgentShield, CodeRabbit). Reason codes: ci-green, single-line-change, security-improvement, issue-addressed.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.