fix(compliance-audit): address reviewer comments on issue counters and output

- Add issue-counts.json to header Outputs comment (Copilot #36)
- ISSUES_EXISTING: only increment when gh issue comment succeeds, not on || true failure (Copilot #1045)
- ISSUES_REMOVED: only increment when gh issue close succeeds, not on || true failure (Copilot #1268)
- Make issue-count JSON/summary conditional on issue management running; show skip notice when DRY_RUN=true or CREATE_ISSUES=false (CodeRabbit #1608)
- Footer is now always the final element, written after the conditional Issue Management section

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

Author: github-actions[bot]

scripts/compliance-audit.sh

@@ -8,8 +8,9 @@
 #   standards/push-protection.md
 #
 # Outputs:
-#   $REPORT_DIR/findings.json   — machine-readable findings
-#   $REPORT_DIR/summary.md      — human-readable report
+#   $REPORT_DIR/findings.json      — machine-readable findings
+#   $REPORT_DIR/summary.md         — human-readable report
+#   $REPORT_DIR/issue-counts.json  — issue management counts (added/existing/removed)
 #
 # Environment variables:
 #   GH_TOKEN        — GitHub token with repo/org scope (required)
@@ -1030,19 +1031,24 @@ create_issue_for_finding() {
     2>/dev/null | head -1 || echo "")
 
   if [ -n "$existing" ]; then
-    # Update existing issue with a comment
+    # Update existing issue with a comment; only count as existing if the update succeeds
+    local update_ok=true
     gh issue comment "$existing" --repo "$ORG/$repo" \
       --body "**Weekly Compliance Audit** ($(date -u +%Y-%m-%d))
 
 This finding is still open.
 
 **Detail:** $detail
 
-**Standard:** [$standard_ref](https://github.com/$ORG/.github/blob/main/$standard_ref)" 2>/dev/null || true
-    # Ensure claude label is present on pre-existing issues
+**Standard:** [$standard_ref](https://github.com/$ORG/.github/blob/main/$standard_ref)" 2>/dev/null || update_ok=false
+    # Ensure claude label is present on pre-existing issues regardless
     gh issue edit "$existing" --repo "$ORG/$repo" --add-label "claude" 2>/dev/null || true
-    info "Updated existing issue #$existing in $repo for: $check"
-    ISSUES_EXISTING=$((ISSUES_EXISTING + 1))
+    if [ "$update_ok" = "true" ]; then
+      info "Updated existing issue #$existing in $repo for: $check"
+      ISSUES_EXISTING=$((ISSUES_EXISTING + 1))
+    else
+      warn "Failed to update existing issue #$existing in $repo for: $check"
+    fi
     # Record existing issue for umbrella
     jq --null-input \
       --arg repo "$repo" \
@@ -1261,11 +1267,14 @@ close_resolved_issues() {
 
     # If this check is no longer in findings, close the issue
     if ! echo "$current_checks" | grep -qx "$check_name"; then
-      gh issue close "$issue_num" --repo "$ORG/$repo" \
-        --comment "Resolved! This check is now passing as of $(date -u +%Y-%m-%d). Closing automatically." \
-        2>/dev/null || true
-      info "Closed resolved issue #$issue_num in $repo: $issue_title"
-      ISSUES_REMOVED=$((ISSUES_REMOVED + 1))
+      if gh issue close "$issue_num" --repo "$ORG/$repo" \
+          --comment "Resolved! This check is now passing as of $(date -u +%Y-%m-%d). Closing automatically." \
+          2>/dev/null; then
+        info "Closed resolved issue #$issue_num in $repo: $issue_title"
+        ISSUES_REMOVED=$((ISSUES_REMOVED + 1))
+      else
+        warn "Failed to close resolved issue #$issue_num in $repo: $issue_title"
+      fi
     fi
   done <<< "$open_issues"
 }
@@ -1588,12 +1597,11 @@ main() {
     info "Skipping issue creation (DRY_RUN=$DRY_RUN, CREATE_ISSUES=$CREATE_ISSUES)"
   fi
 
-  # Write issue-management counts
-  printf '{"added":%d,"existing":%d,"removed":%d}\n' \
-    "$ISSUES_ADDED" "$ISSUES_EXISTING" "$ISSUES_REMOVED" > "$ISSUE_COUNTS_FILE"
-
-  # Append issue-management count table and footer
-  cat >> "$SUMMARY_FILE" <<HEREDOC
+  # Write issue-management counts and append to summary (conditional on issue management running)
+  if [ "$CREATE_ISSUES" = "true" ] && [ "$DRY_RUN" != "true" ]; then
+    printf '{"added":%d,"existing":%d,"removed":%d}\n' \
+      "$ISSUES_ADDED" "$ISSUES_EXISTING" "$ISSUES_REMOVED" > "$ISSUE_COUNTS_FILE"
+    cat >> "$SUMMARY_FILE" <<HEREDOC
 
 ## Issue Management
 
@@ -1602,6 +1610,19 @@ main() {
 | Added (new) | $ISSUES_ADDED |
 | Existing (updated) | $ISSUES_EXISTING |
 | Removed (resolved) | $ISSUES_REMOVED |
+HEREDOC
+  else
+    printf '{"added":0,"existing":0,"removed":0}\n' > "$ISSUE_COUNTS_FILE"
+    cat >> "$SUMMARY_FILE" <<HEREDOC
+
+## Issue Management
+
+_Issue management was skipped (DRY\_RUN=$DRY_RUN, CREATE\_ISSUES=$CREATE_ISSUES)._
+HEREDOC
+  fi
+
+  # Append footer (always last)
+  cat >> "$SUMMARY_FILE" <<HEREDOC
 
 ---
 *Generated by the [weekly compliance audit](https://github.com/$ORG/.github/blob/main/.github/workflows/compliance-audit.yml) on $(date -u "+%Y-%m-%d %H:%M UTC").*