fix: pin agent-shield reusable workflow to SHA (closes #83)

[don-petry]

Summary

Pins the agent-shield-reusable.yml reusable workflow reference from the floating @v1 tag to its exact commit SHA ae9709f4466dec60a5733c9e7487f69dcd004e05, with a # v1 comment preserved for human readability.

This satisfies the org action-pinning policy flagged by the weekly compliance audit.

Changes

• .github/workflows/agent-shield.yml: @v1 → @ae9709f4466dec60a5733c9e7487f69dcd004e05 # v1

Closes #83

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 43 minutes and 55 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 43 minutes and 55 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 532d8f34-ad65-48d6-aac4-f57ee28990e1

📥 Commits

Reviewing files that changed from the base of the PR and between bca8483 and 8a3a138.

📒 Files selected for processing (1)

• .github/workflows/agent-shield.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-83-20260414-1232

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Pins the repo’s AgentShield caller workflow to an immutable commit SHA to comply with the org action-pinning policy and resolve the compliance audit finding.

Changes:

• Updated .github/workflows/agent-shield.yml to reference the reusable workflow by full commit SHA (retaining a # v1 comment for readability).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Automated review — APPROVED

Risk: LOW
Reviewed commit: 3f104a8360b0025479234004381157140b2f7792
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

This PR pins a reusable GitHub Actions workflow reference from the mutable @v1 floating tag to an immutable commit SHA, which is a security improvement that satisfies the org's action-pinning policy (closes #83). All CI checks pass (AgentShield, CodeQL, SonarCloud Quality Gate with 0 security hotspots), the diff is a single-line change with no regressions, and the escalation from triage was due to a triage output failure rather than a genuine risk signal.

Findings

Info

• .github/workflows/agent-shield.yml:33 — Floating @v1 tag replaced with commit SHA ae9709f4466dec60a5733c9e7487f69dcd004e05 — best practice for supply chain security, satisfies the org action-pinning policy. The # v1 comment preserves human readability.
• CI status: All checks passed — AgentShield (SUCCESS), CI (SUCCESS), CodeQL (SUCCESS), SonarCloud Quality Gate (PASSED, 0 new issues, 0 security hotspots), CodeRabbit (SUCCESS).
• Triage escalation: Triage escalated with signal triage-output-invalid — fallback due to triage failure, not a substantive risk finding. No genuine risk signals were identified.

CI status

All checks passed (AgentShield, CI, CodeQL, SonarCloud Quality Gate, CodeRabbit).

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.