docs(workflows): clarify intentional double .github/ in reusable-workflow paths

[don-petry]

Summary

• Adds inline # NOTE: comments to agent-shield.yml and dependabot-automerge.yml explaining why the petry-projects/.github/.github/workflows/ path is correct and intentional.
• The compliance check reusable-workflow-path-duplicate-github is a false positive: the "double .github/" is unavoidable valid GitHub syntax because reusable-workflow paths follow {owner}/{repo}/{path}@{ref}, and the org's reusables are stored at .github/workflows/ inside the petry-projects/.github repo.
• No functional change — uses: lines are unchanged. Every other org repo (e.g. TalkTerm) and the canonical templates in standards/workflows/ use the same path.

Root cause

The automated compliance checker identifies any uses: path containing two .github/ segments as a duplicate. For the special .github repository this pattern is structurally correct and cannot be avoided without breaking the workflow.

Test plan

• Verify AgentShield and Dependabot auto-merge workflows still run successfully on this PR
• Confirm the next weekly compliance audit does not re-open this issue

Closes #136

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 33 minutes and 48 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 33 minutes and 48 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: aac485db-f26a-4e30-bcab-9d968b59e09b

📥 Commits

Reviewing files that changed from the base of the PR and between a69acf6 and e4f4798.

📒 Files selected for processing (2)

• .github/workflows/agent-shield.yml
• .github/workflows/dependabot-automerge.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-136-20260421-0140

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

CODEOWNERS review request: @don-petry — this PR addresses the weekly compliance finding for issue #136. The change is documentation-only (inline comments clarifying why the petry-projects/.github/.github/workflows/ path is correct). No uses: lines were modified. Please review and merge when CI is green.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Closing: duplicate .github/ is REQUIRED in reusable workflow paths. The format owner/repo/.github/workflows/ is correct.