fix: pin agent-shield reusable workflow to SHA

[don-petry]

Summary

• Pins uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@v1 to its commit SHA (208ec2d69b75227d375edf8745d84fbac05a76b2)
• Adds # v1 comment for human readability per the org action-pinning policy

Compliance

Resolves the compliance finding from the weekly audit: unpinned-actions-agent-shield.yml.

Standard: standards/ci-standards.md#action-pinning-policy

SHA was looked up via:

gh api repos/petry-projects/.github/git/refs/tags/v1 --jq '.object.sha'
# → 208ec2d69b75227d375edf8745d84fbac05a76b2

Closes #104

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated workflow configurations to enhance build reliability and process consistency.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: fd240d71-4b53-41be-98b1-8b2a08b465d8

📥 Commits

Reviewing files that changed from the base of the PR and between d0738f9 and 65508b9.

📒 Files selected for processing (2)

• .github/workflows/agent-shield.yml
• standards/workflows/agent-shield.yml

---

📝 Walkthrough

Walkthrough

Both workflow files update their reusable workflow references from a floating version tag (@v1) to a pinned commit SHA (@208ec2d69b75227d375edf8745d84fbac05a76b2), bringing the workflows into compliance with the action-pinning policy.

Changes

Workflow Reference Pinning

Layer / File(s)	Summary
Workflow Configuration .github/workflows/agent-shield.yml, standards/workflows/agent-shield.yml	Reusable workflow reference uses: directive updated from floating @v1 tag to pinned commit SHA for compliance with action-pinning policy.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related issues

• Compliance: unpinned-actions-agent-shield.yml #104 – Directly addresses the compliance finding for unpinned agent-shield.yml action by pinning the reusable workflow reference to a specific commit SHA.

Possibly related PRs

• petry-projects/.github#88: Modifies the same callable in standards/workflows/agent-shield.yml by pinning the reusable-workflow reference.
• petry-projects/.github#87: Updates the agent-shield workflow's reusable-workflow invocation with a specific version reference.
• petry-projects/.github#159: Related to the same agent-shield workflow; marks it as immutable/exempt from SHA-pinning requirements.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: pinning the agent-shield reusable workflow reference to a specific commit SHA instead of the floating @v1 tag.
Linked Issues check	✅ Passed	The PR successfully addresses issue #104 by pinning the reusable workflow reference from @v1 to commit SHA 208ec2d69b75227d375edf8745d84fbac05a76b2, fully complying with the action-pinning policy.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the issue requirements: updating workflow references to pinned SHAs in both the live workflow and standards template for consistency.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-104-20260414-1421

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Pins the repository’s AgentShield caller workflow to a specific commit SHA to comply with the org’s GitHub Actions pinning policy and resolve the reported compliance finding.

Changes:

• Replaces the reusable workflow reference from @v1 to a full commit SHA.
• Adds a # v1 inline comment for human-readable version context.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This file’s header says the source of truth is standards/workflows/agent-shield.yml, but after this change the two files will drift (standards/workflows/agent-shield.yml still uses @v1). To avoid reintroducing noncompliant templates for downstream repos (and to keep the “source of truth” statement accurate), please update the standards template to the same SHA+# v1 comment (or adjust the header if the template is intentionally different).

[don-petry]

Outdated review (superseded by re-review at a45317f45210bb2b3a47c37eeccce66b0d7f5065) — click to expand.

Automated review — APPROVED

Risk: LOW
Reviewed commit: d1dd76517ffdc864b41f13fb1083a3228d805770
Cascade: triage(haiku) → sonnet

Note: Automated approval could not be recorded as a formal review (GitHub prevents self-approval). Review verdict: APPROVE.

Summary

This PR pins a reusable workflow reference from a mutable tag (@v1) to a pinned SHA per the org's action-pinning policy, resolving compliance issue #104. All CI checks pass (Lint, ShellCheck, CodeQL, SonarCloud, Agent Security Scan). The change is a net security improvement with no risk signals beyond a minor SHA-verification caveat.

Findings

Minor

• ⚠️ .github/workflows/agent-shield.yml:33 — sha-verification: The SHA was looked up via gh api .../git/refs/tags/v1 --jq '.object.sha'. For annotated tags, this returns the tag-object SHA, not the commit SHA — GitHub Actions requires the commit SHA for uses: pinning. For lightweight tags the command is correct. If v1 is an annotated tag, the pin may silently resolve incorrectly. No runtime failure is visible in CI because the reusable workflow is not exercised in this PR's test suite. Recommend verifying with: gh api repos/petry-projects/.github/git/ref/tags/v1 --jq '.object | if .type == "commit" then .sha else "annotated-tag: dereference needed" end'

Info

• triage: Triage was escalated due to invalid output (triage-output-invalid), not because of actual risk signals in the diff. This is a routine compliance fix.
• merge-status: Branch is behind main (mergeStateStatus: BEHIND). A rebase or merge commit is needed before merging, but this does not affect correctness of the change.

CI status

All CI checks pass: Lint, ShellCheck, CodeQL, SonarCloud, Agent Security Scan.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 → audit: opus 4.6). Reply with @don-petry if you need a human.

[don-petry]

@claude[agent] - Address the open comments. Ensure the standard is also updated with the SHA pinning as part of this PR.

[Claude]

@claude[agent] - Address the open comments. Ensure the standard is also updated with the SHA pinning as part of this PR.

Updated standards/workflows/agent-shield.yml to pin the reusable workflow to the same SHA (@208ec2d69b75227d375edf8745d84fbac05a76b2) with the # v1 comment. Both files now match.

Commit: fee3ae1

[don-petry]

Outdated review (superseded by re-review at a45317f45210bb2b3a47c37eeccce66b0d7f5065) — click to expand.

Automated review — APPROVED

Risk: LOW
Reviewed commit: fee3ae1715b4852df6000915d6d0a474f8bd1e36
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Note: Review posted as comment — GitHub does not permit self-approval on this PR.

Summary

This PR pins a reusable workflow reference from @v1 to a commit SHA in both the live workflow and the standards template, resolving compliance finding #104. All CI checks pass (CodeQL, CodeRabbit, SonarCloud) and the new commit directly addresses the prior review's request to update the standards file. Triage escalated due to an internal output failure, not actual risk signals.

Findings

Minor

• [minor] .github/workflows/agent-shield.yml:33 — The SHA 208ec2d69b75227d375edf8745d84fbac05a76b2 was obtained via gh api .../git/refs/tags/v1 --jq .object.sha. For annotated tags this returns the tag-object SHA, not the commit SHA; GitHub Actions pinning requires the commit SHA. For lightweight tags the command is correct. CI passes and no runtime failure is observed, suggesting the tag is lightweight or the SHA is correct. To verify definitively: gh api repos/petry-projects/.github/git/ref/tags/v1 --jq '.object | if .type == "commit" then "OK: " + .sha else "annotated-tag: dereference needed" end'

Info

• [info] Triage escalated with signal triage-output-invalid — this reflects a triage process failure, not a risk in the diff. The actual change is a 2-line compliance fix.
• [info] standards/workflows/agent-shield.yml:33 — The new commit (fee3ae1) correctly mirrors the SHA pin in standards/workflows/agent-shield.yml, keeping the live workflow and its template in sync. This fully addresses the prior review feedback.
• [info] All CI checks passed: CodeQL (SUCCESS), CodeRabbit (SUCCESS), SonarCloud Quality Gate (PASSED, 0 new issues, 0 security hotspots).

CI status

All CI checks passed: CodeQL (SUCCESS), CodeRabbit (SUCCESS), SonarCloud Quality Gate (PASSED, 0 new issues, 0 security hotspots).

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[petry-projects-pr-review-agent]

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

@dev-lead - please fix this PR

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push