Fix CheckYourself DevArch findings

[simongonzalezdc]

Summary\n- pin GitHub Actions and reusable workflow references to full commit SHAs\n- add Dependabot coverage for Python dependencies and Actions\n- ignore private key files\n\n## Verification\n- python3 -m pytest -q (93 passed)\n- workflow YAML parse check\n- CheckYourself deep scan: 0 open findings\n- git diff --check

---

^{Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.}

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD security by pinning all GitHub Actions and reusable workflows to specific commit versions across test, lint, publish, and archaeology pipelines
  • Enabled Dependabot to automatically check for weekly dependency updates for Python packages and GitHub Actions
  • Improved repository security by adding gitignore rules to prevent accidental commits of sensitive key files

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR hardens supply chain security by pinning GitHub Actions and reusable workflows to specific commit SHAs across five workflows, adds Dependabot configuration for automated weekly dependency updates with ecosystem-specific labels and commit prefixes, and prevents accidental commits of TLS key material via .gitignore patterns.

Changes

Supply Chain Security Hardening

Layer / File(s)	Summary
Dependabot weekly update configuration .github/dependabot.yml	New Dependabot configuration enables automated weekly (Monday) checks for pip and github-actions ecosystems at the repository root, with labels (dependencies + python or ci) and ecosystem-specific commit message prefixes (chore(deps) and ci(deps)).
GitHub Actions pinning across workflows .github/workflows/agent-law.yml, archaeology.yml, blacksmith-probe.yml, ci.yml, publish.yml	All workflows pin actions/checkout, actions/setup-python, pypa/gh-action-pypi-publish, actions/upload-artifact, actions/configure-pages, and actions/deploy-pages to specific commit SHAs instead of floating version tags, with persist-credentials: false added to checkout steps. The reusable workflow in blacksmith-probe is pinned to a specific commit instead of @main.
Secret file exclusion .gitignore	Adds *.pem and *.key patterns to prevent accidental commits of TLS/secret key material.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is largely incomplete. It lacks the required 'Empower Orchestrator checklist' section entirely, which is mandatory according to the repository's description template.	Add the complete 'Empower Orchestrator checklist' section from the template with all required checkboxes and considerations.
Title check	❓ Inconclusive	The title 'Fix CheckYourself DevArch findings' is vague and does not clearly convey the main changes in the PR, which involve pinning GitHub Actions to commit SHAs, adding Dependabot configuration, and updating .gitignore.	Consider a more specific title that highlights the primary changes, such as 'Pin GitHub Actions to commit SHAs and add Dependabot configuration' or 'Update workflows and dependencies per CheckYourself recommendations'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/checkyourself-findings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/ci.yml (2)

11-16: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use Blacksmith runners for every CI job.

Line 11 and Line 43 still target matrix.os / ubuntu-latest, which violates the CI runner requirement. Switch all CI jobs to blacksmith-2vcpu-ubuntu-2404.

As per coding guidelines, "All CI runs on blacksmith-2vcpu-ubuntu-2404 runners".

Also applies to: 43-43

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 11 - 16, Update the GitHub Actions
workflow to use the mandated Blacksmith runner: replace any occurrences of
"runs-on: ${{ matrix.os }}" and hardcoded "ubuntu-latest" in the CI matrix with
"runs-on: blacksmith-2vcpu-ubuntu-2404" (and remove or adjust the matrix.os
entries so jobs do not select ubuntu-latest); ensure every job that currently
references matrix.os or ubuntu-latest (including the other job noted around the
second occurrence) uses blacksmith-2vcpu-ubuntu-2404 instead.

---

9-65: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

CI policy checks are incomplete (build, concurrency, caching, Python/Node coverage).

This workflow currently defines test/lint only, has no concurrency, no explicit caching configuration, and no Node-version checks despite the stated Python/Node requirement. Please add a build job and enforce concurrency + cache + supported Python/Node matrices in this file.

As per coding guidelines, "CI workflow must run lint, test, and build checks on Blacksmith runners with concurrency and caching" and "CI must pass on all supported Python/Node versions".

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 11-16: Update the GitHub Actions workflow to use the mandated
Blacksmith runner: replace any occurrences of "runs-on: ${{ matrix.os }}" and
hardcoded "ubuntu-latest" in the CI matrix with "runs-on:
blacksmith-2vcpu-ubuntu-2404" (and remove or adjust the matrix.os entries so
jobs do not select ubuntu-latest); ensure every job that currently references
matrix.os or ubuntu-latest (including the other job noted around the second
occurrence) uses blacksmith-2vcpu-ubuntu-2404 instead.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: eda3b9f6-4469-4874-a96e-ec7aaa95968c

📥 Commits

Reviewing files that changed from the base of the PR and between cc55511 and 1e08a5a.

📒 Files selected for processing (7)

• .github/dependabot.yml
• .github/workflows/agent-law.yml
• .github/workflows/archaeology.yml
• .github/workflows/blacksmith-probe.yml
• .github/workflows/ci.yml
• .github/workflows/publish.yml
• .gitignore