fix(compliance-audit): exempt internal reusable workflow refs from SHA pinning check

[don-petry]

Summary

• Fixes false-positive unpinned-actions-* findings in compliance audit for Tier 1 caller stubs that reference petry-projects/.github internal reusable workflows
• The audit was incorrectly flagging agent-shield.yml, claude.yml, dependabot-automerge.yml (and equivalents in all downstream repos) because the @v1/@main tag refs used for internal reusable workflows are explicitly exempt from SHA pinning per ci-standards.md#action-pinning-policy

Root cause

check_action_pinning() in scripts/compliance-audit.sh scanned all uses: lines for non-SHA refs but did not implement the documented exemption for petry-projects/.github internal reusable workflow references. This produced false positives for every repo that correctly uses Tier 1 stub workflows.

Why internal reusable refs must NOT be SHA-pinned

1. Anthropic OIDC validates that .github/workflows/claude.yml on a PR branch is byte-for-byte identical to main — any diff (including a SHA pin on uses:) causes 401 Workflow validation failed
2. The petry-projects/.github org controls the @v1 tag — no supply-chain risk from tag-force-push
3. @v1 allows the org to push improvements to all downstream repos simultaneously by bumping the tag

Compliance findings addressed (.github repo)

Finding	Status
unpinned-actions-agent-shield.yml	✅ False positive eliminated
unpinned-actions-claude.yml	✅ False positive eliminated
unpinned-actions-dependabot-automerge.yml	✅ False positive eliminated

Related PRs created in other repos

• fix(compliance): add CLAUDE.md and dependabot.yml .github-private#152 — adds CLAUDE.md + dependabot.yml (fixes claude-md-missing-agents-ref, missing-github-actions-ecosystem, missing-security-label, missing-dependencies-label)
• fix(dependabot): set npm open-pull-requests-limit to 0 google-app-scripts#275 — fixes wrong-limit-npm (sets open-pull-requests-limit: 0)

Remaining findings requiring human action (cannot be fixed via PR alone)

The following categories across all 8 repos require either admin API credentials or workflows write permission:

Category	Required action
Repository settings (allow_auto_merge, delete_branch_on_merge, check-suite-auto-trigger-*)	Run bash scripts/apply-repo-settings.sh <repo> with admin token
Secret scanning (secret_scanning_ai_detection, secret_scanning_non_provider_patterns)	Run bash scripts/apply-repo-settings.sh <repo>
Workflow additions/fixes (all 22 workflow findings)	Requires workflows write permission — not available to this agent
SHA pinning in workflow files (unpinned-actions-* genuine findings)	Requires workflows write permission
secret_scan_ci_job_present	Requires adding gitleaks job to ci.yml — needs workflows permission

Closes #261

Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Compliance audit updated to treat internal reusable workflows as intentional exceptions to action-pinning checks. This reduces false-positive flags, cuts down noisy audit alerts, and makes pinning reports more accurate—helping maintainers focus on real issues and speeding up review and remediation.

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 49 minutes and 31 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: bed3c788-c4bb-465d-9075-840e29953b9d

📥 Commits

Reviewing files that changed from the base of the PR and between 2eb675d and 59b6003.

📒 Files selected for processing (1)

• scripts/compliance-audit.sh

📝 Walkthrough

Walkthrough

The compliance audit script updates its unpinned GitHub Actions detection to exclude internal petry-projects/.github/... reusable workflow references. These calls are now treated as an intentional exception, similar to existing docker and local action exclusions.

Changes

Compliance Audit Exception

Layer / File(s)	Summary
Internal reusable workflow exception scripts/compliance-audit.sh	The check_action_pinning function filters the unpinned detection grep pipeline to exclude uses: petry-projects/.github/... references, preventing internal reusable workflow calls from being flagged as unpinned.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Compliance: unpinned-actions-claude.yml #105 — Addresses the compliance finding about uses: petry-projects/.github/...@main being reported as unpinned.
• Fix org-wide failure of pr-review-mention reusable workflow caller (stale v1 tag) #267 — Whitelisting uses: petry-projects/.github/... directly affects the reusable-workflow callers this issue requires pinning for.
• Compliance: unpinned-actions-dependabot-automerge.yml bmad-bgreat-suite#85 — Prevents the reported unpinned reusable-workflow reference from being flagged in that repo.

Possibly related PRs

• petry-projects/.github#98 — Updates the audit script to ignore uses: petry-projects/.github/... reusable workflow references for SHA pinning.
• petry-projects/.github#159 — Documents the internal reusable workflow SHA-pinning exception that this change implements.
• petry-projects/.github#89 — Also modifies scripts/compliance-audit.sh's handling of uses: petry-projects/.github/... in pinning/compliance logic.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'fix(compliance-audit): exempt internal reusable workflow refs from SHA pinning check' directly and clearly describes the main change—adding an exemption for internal reusable workflow references in the compliance audit script.
Linked Issues check	✅ Passed	The PR addresses issue #261's Action SHA pinning (42 findings) category by fixing false-positive unpinned-action findings for internal reusable workflows, which aligns with the documented exemption per ci-standards.md.
Out of Scope Changes check	✅ Passed	All changes in scripts/compliance-audit.sh are scoped to fixing the unpinned action detection logic for internal reusable workflows, directly addressing the root cause of false positives without introducing unrelated modifications.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-261-20260512-1901

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

CI is green. @petry-projects/org-leads — this PR is ready for review and merge.

[gemini-code-assist]

Code Review

This pull request updates the compliance audit script to exempt internal reusable workflows from SHA-pinning requirements, which prevents OIDC validation failures. A review comment suggests anchoring the exclusion regex to the start of the line to ensure the audit remains robust against false negatives in commented-out code.

[gemini-code-assist]

The exclusion regex for internal reusable workflows is not anchored to the start of the line. This can lead to false negatives if a uses: directive for a different action contains the exempt string within a comment (e.g., uses: actions/checkout@v4 # uses: petry-projects/.github/...). Anchoring the regex ensures that only the actual action reference is evaluated for exemption, maintaining the integrity of the audit for other actions.

Suggested change

	unpinned=$(echo "$decoded" | grep -E '^\s*-?\s*uses:\s+[^#]*@' | grep -vE '@[0-9a-f]{40}' | grep -vE '(docker://|\.\/)' | grep -vE 'uses:\s+petry-projects/\.github/' || true)
	unpinned=$(echo "$decoded" | grep -E '^\s*-?\s*uses:\s+[^#]*@' | grep -vE '@[0-9a-f]{40}' | grep -vE '(docker://|\.\/)' | grep -vE '^\s*-?\s*uses:\s+petry-projects/\.github/' || true)

[Copilot]

Pull request overview

Updates the compliance audit’s action SHA-pinning check to stop reporting false positives for Tier 1 workflow caller stubs that legitimately reference petry-projects/.github reusable workflows via tag refs (@v1, @main), aligning the audit behavior with the documented exception in ci-standards.md.

Changes:

• Exempts petry-projects/.github references from the check_action_pinning() “unpinned actions” scan.
• Adds inline documentation in compliance-audit.sh explaining the internal reusable workflow exception and OIDC validation motivation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 49c39329fe2d6ca5c7ae3c68d48be75c2ba243d6
Review mode: triage-approved (single reviewer)

Summary

A 5+/1- change to scripts/compliance-audit.sh that extends check_action_pinning() with a grep -vE 'uses:\s+petry-projects/\.github/' filter so internal reusable workflow refs are no longer flagged as unpinned. The exemption is explicitly documented in standards/ci-standards.md#action-pinning-policy ("Exception: Internal Reusable Workflow References") and is required because Anthropic OIDC validates that claude.yml on a PR branch is byte-for-byte identical to main — any diff, including a SHA pin on uses:, triggers 401 Workflow validation failed. The org controls the @v1 tag, so the standard supply-chain rationale for SHA-pinning does not apply here.

Linked issue analysis

The PR is scoped against #261 (umbrella compliance-audit findings, 2026-05-12) and addresses a specific subset: the false-positive unpinned-actions-agent-shield.yml, unpinned-actions-claude.yml, and unpinned-actions-dependabot-automerge.yml findings on the .github repo (and equivalents in downstream repos). The PR description is explicit that the remaining categories (repo settings, secret-scanning, workflow additions, genuine SHA-pinning, and secret_scan_ci_job_present) require admin API credentials or workflows write permission and are out of scope here. Partial closure of #261 is appropriate.

Findings

No blocking issues.

• Style nit (non-blocking): gemini-code-assist suggested anchoring the new exclusion regex to the start of the line for robustness against commented-out code. This is unnecessary: the upstream filter in the same pipeline (^\s*-?\s*uses:\s+[^#]*@) is start-anchored and does not match comment lines like # uses: ..., so the exemption filter never sees commented-out content. The current form is correct and readable; no change required.
• Scope of regex: uses:\s+petry-projects/\.github/ targets only refs under the petry-projects/.github org's own path. This matches the documented exception verbatim and does not over-exempt other petry-projects/* repos.
• Branch is BEHIND main: non-blocking, just needs a rebase before merge.

CI status

All required checks green: AgentShield, CI (Lint, ShellCheck, Agent Security Scan), Claude Code, CodeQL (Analyze actions), SonarCloud (Quality Gate passed, 0 new issues), Dependency audit (Detect ecosystems), CodeRabbit. No security warnings raised by any scanner on this diff.

---

Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/compliance-audit.sh`:
- Line 217: The grep exclusion is too broad—update the unpinned assignment
(variable unpinned) so it only ignores reusable workflow references under
petry-projects/.github (e.g. paths containing ".github/workflows/"), not every
petry-projects/.github usage; replace the final grep -vE
'uses:\s+petry-projects/\.github/' with a more specific pattern like -vE
'uses:\s+petry-projects/\.github/.*workflows/' so only reusable workflow calls
are exempted while other petry-projects/.github action uses remain checked.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 24247e1c-5fce-4c54-8f04-25a725b947bd

📥 Commits

Reviewing files that changed from the base of the PR and between 8558fa5 and b7207ed.

📒 Files selected for processing (1)

• scripts/compliance-audit.sh

[coderabbitai]

♻️ Duplicate comments (1)

scripts/compliance-audit.sh (1)

217-217: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Narrow the exemption to internal reusable workflows only.

At Line 217, the filter excludes every uses: petry-projects/.github/... reference, which is broader than the documented exception and can mask real unpinned findings. Restrict the exemption to reusable workflow paths (.github/workflows/...@ref) only.

Suggested diff

-    unpinned=$(echo "$decoded" | grep -E '^\s*-?\s*uses:\s+[^#]*@' | grep -vE '@[0-9a-f]{40}' | grep -vE '(docker://|\.\/)' | grep -vE 'uses:\s+petry-projects/\.github/' || true)
+    unpinned=$(echo "$decoded" \
+      | grep -E '^\s*-?\s*uses:\s+[^#]*@' \
+      | grep -vE '@[0-9a-f]{40}' \
+      | grep -vE '(docker://|\.\/)' \
+      | grep -vE '^[[:space:]]*-?[[:space:]]*uses:[[:space:]]*petry-projects/\.github/\.github/workflows/[^@]+@' \
+      || true)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/compliance-audit.sh` at line 217, The current unpinned detection
command (assigning to variable unpinned) is too broad because it excludes any
uses: petry-projects/.github/... references; update the grep exclusion so it
only exempts reusable workflow calls under .github/workflows (e.g., match
uses:\s+petry-projects/\.github/workflows/[^@]+@) instead of the existing
petry-projects/\.github/ pattern, leaving all other filters intact so genuine
unpinned uses are still reported.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@scripts/compliance-audit.sh`:
- Line 217: The current unpinned detection command (assigning to variable
unpinned) is too broad because it excludes any uses: petry-projects/.github/...
references; update the grep exclusion so it only exempts reusable workflow calls
under .github/workflows (e.g., match
uses:\s+petry-projects/\.github/workflows/[^@]+@) instead of the existing
petry-projects/\.github/ pattern, leaving all other filters intact so genuine
unpinned uses are still reported.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 045a96b0-303a-4c4f-b172-f00f12fb1847

📥 Commits

Reviewing files that changed from the base of the PR and between b7207ed and 88636c7.

📒 Files selected for processing (1)

• scripts/compliance-audit.sh

[donpetry-bot]

Superseded by automated re-review at aa22a1b49fc303b568f9153c7959f800c166fd6e — click to expand prior review.

Review — fix requested (cycle 2/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

Superseded by automated re-review at 88636c7.

[donpetry-bot]

Review — fix requested (cycle 3/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[donpetry-bot]

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

[coderabbitai]

♻️ Duplicate comments (1)

scripts/compliance-audit.sh (1)

224-224: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Unresolved issue from previous review: Exemption pattern is too broad.

This concern was previously raised and remains unfixed. The pattern uses:\s+petry-projects/\.github/ excludes all petry-projects/.github/ references, not just reusable workflows. This deviates from the documented policy in the comments (lines 219-222) which specifies "internal reusable workflow refs" only.

Risk: If petry-projects/.github ever contains composite actions or other GitHub Actions (not reusable workflows), references to them with tag pins like @v1 would be incorrectly exempted from SHA-pinning checks, creating a compliance gap.

Fix: Narrow the pattern to match only reusable workflow paths (petry-projects/.github/.github/workflows/):

🔧 Suggested fix

-    unpinned=$(echo "$decoded" | grep -E '^\s*-?\s*uses:\s+[^#]*@' | grep -vE '@[0-9a-f]{40}' | grep -vE '(docker://|\.\/)' | grep -vE 'uses:\s+petry-projects/\.github/' || true)
+    unpinned=$(echo "$decoded" \
+      | grep -E '^\s*-?\s*uses:\s+[^#]*@' \
+      | grep -vE '@[0-9a-f]{40}' \
+      | grep -vE '(docker://|\.\/)' \
+      | grep -vE '^[[:space:]]*-?[[:space:]]*uses:[[:space:]]*petry-projects/\.github/\.github/workflows/[^@]+@' \
+      || true)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/compliance-audit.sh` at line 224, The current exclusion in the
construction of the unpinned variable uses a too-broad pattern
`uses:\s+petry-projects/\.github/` which exempts all references to
petry-projects/.github (including composite actions); update the grep/regex in
the unpinned assignment that builds the unpinned variable to only exclude
internal reusable workflow refs by matching the reusable-workflow path (e.g.,
`petry-projects/.github/.github/workflows/`) instead of the entire `.github`
repo root so only reusable workflow usages are skipped.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@scripts/compliance-audit.sh`:
- Line 224: The current exclusion in the construction of the unpinned variable
uses a too-broad pattern `uses:\s+petry-projects/\.github/` which exempts all
references to petry-projects/.github (including composite actions); update the
grep/regex in the unpinned assignment that builds the unpinned variable to only
exclude internal reusable workflow refs by matching the reusable-workflow path
(e.g., `petry-projects/.github/.github/workflows/`) instead of the entire
`.github` repo root so only reusable workflow usages are skipped.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2d8f8f26-ba01-4b6c-a716-6ea7bf122a4c

📥 Commits

Reviewing files that changed from the base of the PR and between 88636c7 and 2eb675d.

📒 Files selected for processing (1)

• scripts/compliance-audit.sh

[don-petry]

@dev-lead - please fix this PR

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Automated rebase result: the PR's fix was already independently applied to main (commits adding the petry-projects/.github exemption to check_action_pinning), with improvements that also cover .github-private and use portable POSIX character classes.

After rebasing onto current main, the PR commit (49c3932) had no remaining changes to apply — the rebase produced an empty branch. The PR has been auto-closed by GitHub since head now matches base.

No action needed; the intent of issue #261 is already satisfied on main.

[don-petry]

Dev-Lead — rebase (no-changes)

Agent reasoning

PR: #263
Rebased onto: main
Conflicts resolved: 1 file
- scripts/compliance-audit.sh: kept main's version (strict superset — also exempts .github-private and uses portable POSIX regex); PR commit became no-op and was dropped during rebase
Push: success (PR auto-closed by GitHub since branch is now identical to main; explanatory comment posted)
```