From 52be132673241a665a65c1b7b9f3d524f0a78ba6 Mon Sep 17 00:00:00 2001
From: Claude Code <donpetry@gmail.com>
Date: Mon, 20 Apr 2026 18:18:35 -0700
Subject: [PATCH 1/2] fix: correct reusable workflow path in claude.yml and
 agent-shield.yml

The workflow references were using an incorrect path with duplicate
'.github/' segment: 'petry-projects/.github/.github/workflows/...'

This caused failures in all child repos trying to call these reusables
because GitHub Actions couldn't find the workflow at that path.

Corrected to: 'petry-projects/.github/workflows/...'

This fix will resolve failing compliance PRs across markets, ContentTwin,
TalkTerm, and bmad-bgreat-suite that pinned these workflows.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 .github/workflows/agent-shield.yml | 2 +-
 .github/workflows/claude.yml       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/agent-shield.yml b/.github/workflows/agent-shield.yml
index 8704981d..79eba8f4 100644
--- a/.github/workflows/agent-shield.yml
+++ b/.github/workflows/agent-shield.yml
@@ -30,4 +30,4 @@ permissions:
 
 jobs:
   agent-shield:
-    uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@v1
+    uses: petry-projects/.github/workflows/agent-shield-reusable.yml@v1
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index 8f7c686d..9ddbe297 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -20,7 +20,7 @@ permissions: {}
 
 jobs:
   claude-code:
-    uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main
+    uses: petry-projects/.github/workflows/claude-code-reusable.yml@main
     secrets: inherit
     permissions:
       contents: write

From 715084f3a552c5e01973d3c55d122abd317a8cbc Mon Sep 17 00:00:00 2001
From: Claude Code <donpetry@gmail.com>
Date: Mon, 20 Apr 2026 18:19:29 -0700
Subject: [PATCH 2/2] feat: add compliance audit check for reusable workflow
 path syntax

Adds validation to catch the duplicate .github/ segment issue in reusable
workflow references:
  - BROKEN: uses: petry-projects/.github/.github/workflows/...
  - CORRECT: uses: petry-projects/.github/workflows/...

This check will flag any workflow that incorrectly references reusable
workflows from the org .github repository with the doubled path segment.

This prevents future auto-generated compliance PRs from seeding the
broken path syntax across all org repositories.

Resolves the root cause of widespread CI failures in compliance PRs.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 scripts/compliance-audit.sh | 40 +++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/scripts/compliance-audit.sh b/scripts/compliance-audit.sh
index b95f1870..38df2ed0 100755
--- a/scripts/compliance-audit.sh
+++ b/scripts/compliance-audit.sh
@@ -219,6 +219,45 @@ check_action_pinning() {
   done
 }
 
+# ---------------------------------------------------------------------------
+# Check: Reusable workflow path syntax (no duplicate .github/ segments)
+# ---------------------------------------------------------------------------
+check_reusable_workflow_paths() {
+  local repo="$1"
+
+  # List workflow files
+  local workflows
+  workflows=$(gh_api "repos/$ORG/$repo/contents/.github/workflows" --jq '.[].name' 2>/dev/null || echo "")
+
+  for wf in $workflows; do
+    [[ "$wf" != *.yml && "$wf" != *.yaml ]] && continue
+
+    local content
+    content=$(gh_api "repos/$ORG/$repo/contents/.github/workflows/$wf" --jq '.content' 2>/dev/null || echo "")
+    [ -z "$content" ] && continue
+
+    local decoded
+    decoded=$(echo "$content" | base64 -d 2>/dev/null || echo "")
+    [ -z "$decoded" ] && continue
+
+    # Check for incorrect path with duplicate .github/ segment
+    # INCORRECT: petry-projects/.github/.github/workflows/...
+    # CORRECT:   petry-projects/.github/workflows/...
+    local bad_paths
+    bad_paths=$(echo "$decoded" | grep -E 'uses:[[:space:]]*petry-projects/\.github/\.github/workflows/' || true)
+
+    if [ -n "$bad_paths" ]; then
+      local count
+      count=$(echo "$bad_paths" | wc -l | tr -d ' ')
+      local examples
+      examples=$(echo "$bad_paths" | head -2 | sed 's/^[[:space:]]*//' | paste -sd ', ' -)
+      add_finding "$repo" "workflow-syntax" "reusable-workflow-path-duplicate-github" "error" \
+        "Workflow \`$wf\` has $count reusable workflow reference(s) with duplicate \`.github/\` segment. Change \`petry-projects/.github/.github/workflows/\` to \`petry-projects/.github/workflows/\`" \
+        "standards/ci-standards.md#action-pinning-policy"
+    fi
+  done
+}
+
 # ---------------------------------------------------------------------------
 # Check: Dependabot configuration
 # ---------------------------------------------------------------------------
@@ -1234,6 +1273,7 @@ main() {
 
     check_required_workflows "$repo"
     check_action_pinning "$repo"
+    check_reusable_workflow_paths "$repo"
     check_dependabot_config "$repo"
     check_repo_settings "$repo" "$repo_json"
     check_labels "$repo"