fix: pin feature-ideation.yml reusable workflow to SHA

[don-petry]

Summary

• Pins petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from @v1 to SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to resolve the action-pinning compliance finding
• Syncs file with latest upstream template: adds dry_run workflow_dispatch input, actions: read permission, and sources_file optional comment

SHA Verification

SHA was looked up via:

gh api repos/petry-projects/.github/git/refs/tags/v1 --jq '.object.sha'
# → ee22b427cbce9ecadcf2b436acb57c3adf0cb63d

Closes #88

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 45 minutes and 15 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 45 minutes and 15 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b38db669-6f72-4cd3-a4c6-f3f62779ecd0

📥 Commits

Reviewing files that changed from the base of the PR and between bca8483 and 78b01b1.

📒 Files selected for processing (1)

• .github/workflows/feature-ideation.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-88-20260419-1833

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@don-petry — PR is ready for review and merge. This pins the feature-ideation-reusable.yml reusable workflow to SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d (the current v1 tag), resolving the action-pinning compliance finding in issue #88.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

This PR updates the repository’s Feature Ideation workflow caller stub to comply with action-pinning requirements by pinning the reusable workflow reference to a specific commit SHA, while also syncing a few upstream-template improvements (new input and permissions).

Changes:

• Pin petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from @v1 to commit ee22b427cbce9ecadcf2b436acb57c3adf0cb63d.
• Add dry_run as a workflow_dispatch input and forward it to the reusable workflow.
• Add actions: read to the job token permissions and document optional sources_file usage.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The file header states you “MUST NOT change” the uses: line and job-level permissions: block, but this PR intentionally updates both (SHA pin + actions: read). Consider updating that guidance to clarify that syncing/pinning the reusable ref and adding required permissions is allowed, so future editors aren’t confused by the contradiction.

[don-petry]

Automated review — APPROVED

Risk: MEDIUM
Reviewed commit: 51e3e0161ff8715b76da9d7d914021d8268b7f19
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

PR #129 pins a reusable GitHub Actions workflow to a specific commit SHA to satisfy action-pinning compliance (issue #88). All CI checks pass (CodeQL, SonarCloud, AgentShield all green with 0 security hotspots). The changes are a net security improvement; risk is MEDIUM only because GitHub Actions files are in scope — no escalation warranted.

Findings

Minor

• [minor] .github/workflows/feature-ideation.yml:94 — PR description verifies the SHA via gh api repos/petry-projects/.github/git/refs/tags/v1 --jq .object.sha. For annotated tags this returns the tag-object SHA, not the commit SHA. GitHub Actions resolves uses: to commit SHAs, so if v1 is an annotated tag the pinned SHA would be the tag object and the workflow would fail at runtime. The SHA should be verified with --jq '.object | if .type == "tag" then .sha else .sha end' or by dereferencing the tag object. This is worth confirming before merge but is a correctness risk, not a security risk.

Info

• [info] .github/workflows/feature-ideation.yml:94 — SHA pinning of reusable workflow is the correct supply-chain security practice. The comment # v1 alongside the SHA is good for maintainability.
• [info] .github/workflows/feature-ideation.yml:88 — Addition of actions: read permission is correctly scoped and documented in the inline comment (needed for feed-checkpoint last-successful-run query).
• [info] (ci) — All CI checks passed: CodeQL (SUCCESS), SonarCloud Quality Gate (0 new issues, 0 security hotspots), AgentShield (SUCCESS), Dependency audit (SKIPPED — no packages changed). No scanner warnings.
• [info] .github/workflows/feature-ideation.yml:110 — New dry_run boolean input is correctly typed and forwarded as ${{ inputs.dry_run || false }}. Default is false, so existing scheduled runs are unaffected.

CI status

All CI checks passed: CodeQL (SUCCESS), SonarCloud Quality Gate (0 new issues, 0 security hotspots), AgentShield (SUCCESS), Dependency audit (SKIPPED — no packages changed).

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.