docs: document OIDC immutability constraint and exempt claude.yml from SHA pinning#159
Conversation
…m SHA pinning Documents the Anthropic OIDC invariant that caused a multi-repo incident on 2026-04-19/20: agent-generated compliance PRs that SHA-pinned the `uses:` line in claude.yml produced branches that differed from main, causing 401 rejections from Anthropic's OIDC token endpoint and preventing Claude Code from running. - standards/workflows/claude.yml: expand AGENTS header with OIDC constraint explanation; add paths-ignore guard for self-referential PRs - standards/ci-standards.md: add OIDC constraint callout to §4 Claude Code; add "Exception: Internal Reusable Workflow References" subsection to Action Pinning Policy exempting internal reusable workflow refs from SHA pinning - standards/agent-standards.md: add "Compliance Exemptions" section listing claude.yml and agent-shield.yml as files agents must never open PRs against Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 18 minutes and 11 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (5)
📝 WalkthroughWalkthroughAdds an immutability/exemption policy for agent-created PRs that protects two workflow stubs, records OIDC/byte-for-byte validation for Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
standards/workflows/claude.yml (1)
34-39:⚠️ Potential issue | 🟡 Minor
paths-ignoreonly affectspull_request— confirm that's the intended scope.
paths-ignoreunderpull_request:prevents that trigger from running on PRs whose changeset is limited toclaude.yml, which matches the stated goal. The other triggers (issue_comment,pull_request_review_comment,issues,check_run) are unaffected, which is correct — those don't carry PR-head workflow files anyway.One edge case: a PR that modifies
claude.ymlplus other files will still trigger (GitHub'spaths-ignoreonly skips when all changed files match). Such PRs will still hit the 401 at token exchange. The header text is clear enough about this, but it may be worth an explicit sentence in the header noting thatpaths-ignoreis a narrow guard, not a complete shield.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@standards/workflows/claude.yml` around lines 34 - 39, Update the workflow header comment to explicitly state that the paths-ignore setting under the pull_request trigger only prevents the workflow from running when the PR's entire changeset is limited to claude.yml and does not protect PRs that modify claude.yml plus other files; reference the pull_request block and the paths-ignore key, and briefly note that other triggers (issue_comment, pull_request_review_comment, issues, check_run) are unaffected so they still run as configured.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@standards/agent-standards.md`:
- Around line 17-31: Add a machine-readable exemption list and wire it into the
existing compliance check so agents can’t open PRs that modify those immutable
workflow files: create a small JSON or YAML file (e.g., a single-key list
containing ".github/workflows/claude.yml" and
".github/workflows/agent-shield.yml" and any future entries) and update
scripts/compliance-audit.sh to read that file and reject PRs touching any listed
paths; also add a one-line reference in agent-standards.md next to the exemption
table pointing to this machine-readable source (and mention that the canonical
source of truth is the standards/workflows/ adoption process) so humans and
automation reference the same list.
In `@standards/ci-standards.md`:
- Around line 238-253: The MD lint failures are caused by the fenced code block
inside the OIDC security constraint blockquote: add a language to the fence
(e.g., ```text```), ensure there is a blank line inside the blockquote before
and after the fenced block (prefix those blank lines with > to satisfy
MD031/MD040), and remove the extra blank line that separates this blockquote
from the next callout so it isn't split (or if the split is intentional, keep
the blank line but update markdownlint config to allow MD028); update the “OIDC
security constraint — `claude.yml` is immutable on PR branches.” block
accordingly.
- Around line 756-779: The check_action_pinning() audit currently flags tag refs
for internal reusable workflows; update its grep/filter logic so it explicitly
excludes petry-projects/.github reusable-workflow tag refs (e.g. patterns
matching petry-projects/.github/**@(v1|main)); modify the filter used in
check_action_pinning() to add a negative match or whitelist for
petry-projects/.github/**@(v1|main) so those tag refs are skipped and not
reported or used to create compliance PRs.
---
Outside diff comments:
In `@standards/workflows/claude.yml`:
- Around line 34-39: Update the workflow header comment to explicitly state that
the paths-ignore setting under the pull_request trigger only prevents the
workflow from running when the PR's entire changeset is limited to claude.yml
and does not protect PRs that modify claude.yml plus other files; reference the
pull_request block and the paths-ignore key, and briefly note that other
triggers (issue_comment, pull_request_review_comment, issues, check_run) are
unaffected so they still run as configured.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 6d18e6ec-5bf4-4a52-9a3c-86868f304db0
📒 Files selected for processing (3)
standards/agent-standards.mdstandards/ci-standards.mdstandards/workflows/claude.yml
| ## Compliance Exemptions — Files Agents Must Not Modify | ||
|
|
||
| The following files are structurally immutable. Agents must not open PRs that | ||
| modify them. No compliance finding will ever require a change to these files; | ||
| if an existing agent-created PR touches them, close it without merging. | ||
|
|
||
| | File | Reason | | ||
| |------|--------| | ||
| | `.github/workflows/claude.yml` | Anthropic OIDC invariant — any diff from the default branch causes `401 Workflow validation failed`; Claude Code cannot run on that PR | | ||
| | `.github/workflows/agent-shield.yml` | Security boundary — agents are not permitted to weaken security scanning; changes require explicit human review | | ||
|
|
||
| These files must be adopted verbatim from `standards/workflows/` and updated | ||
| only by merging a standards PR from `petry-projects/.github`, which propagates | ||
| to all repos via the `@v1` tag bump. | ||
|
|
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
LGTM — exemption section is well-scoped.
Clear rationale per file, and the "adopt verbatim / updated only via standards PR" instruction lines up with the Tier 1 stub contract in ci-standards.md. The LanguageTool "GitHub" capitalization hints on lines 25/26/29 are false positives — these are literal path/repo identifiers.
Minor suggestion: consider adding a machine-readable signal (e.g., a known list consumed by scripts/compliance-audit.sh) so the exemption is enforced at PR-open time rather than relying on agents reading this doc. Otherwise an agent that skips the doc will still attempt a compliance PR against claude.yml.
🧰 Tools
🪛 LanguageTool
[uncategorized] ~25-~25: The official name of this software platform is spelled with a capital “H”.
Context: ... | File | Reason | |------|--------| | .github/workflows/claude.yml | Anthropic OIDC ...
(GITHUB)
[uncategorized] ~26-~26: The official name of this software platform is spelled with a capital “H”.
Context: ...; Claude Code cannot run on that PR | | .github/workflows/agent-shield.yml | Security ...
(GITHUB)
[uncategorized] ~29-~29: The official name of this software platform is spelled with a capital “H”.
Context: ...ted only by merging a standards PR from petry-projects/.github, which propagates to all repos via the...
(GITHUB)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@standards/agent-standards.md` around lines 17 - 31, Add a machine-readable
exemption list and wire it into the existing compliance check so agents can’t
open PRs that modify those immutable workflow files: create a small JSON or YAML
file (e.g., a single-key list containing ".github/workflows/claude.yml" and
".github/workflows/agent-shield.yml" and any future entries) and update
scripts/compliance-audit.sh to read that file and reject PRs touching any listed
paths; also add a one-line reference in agent-standards.md next to the exemption
table pointing to this machine-readable source (and mention that the canonical
source of truth is the standards/workflows/ adoption process) so humans and
automation reference the same list.
| ### Exception: Internal Reusable Workflow References | ||
|
|
||
| Calls to `petry-projects/.github` reusable workflows use tag references | ||
| (`@v1`, `@main`) — **not SHA pins** — and are exempt from this policy. | ||
|
|
||
| ```yaml | ||
| # CORRECT — tag ref for internal reusable workflow | ||
| uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@v1 | ||
|
|
||
| # WRONG — do not SHA-pin internal reusable workflow refs | ||
| uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@ee22b427cbce9ecadcf2b436acb57c3adf0cb63d | ||
| ``` | ||
|
|
||
| **Why:** Pinning the `uses:` line in a Tier 1 caller stub creates a diff from | ||
| the default branch. Anthropic's OIDC token endpoint validates that | ||
| `.github/workflows/claude.yml` on a PR branch is identical to the default | ||
| branch — any diff causes `401 Workflow validation failed` and Claude Code | ||
| cannot run on that PR. | ||
|
|
||
| The `@v1` tag on `petry-projects/.github` is managed deliberately (bumped only | ||
| on backward-compatible releases) and is not subject to tag-force-push risk | ||
| because the org controls the tag. **Do not open compliance PRs to pin these | ||
| references.** | ||
|
|
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
rg -nP -C3 'check_action_pinning|unpinned-actions' scripts/compliance-audit.shRepository: petry-projects/.github
Length of output: 998
🏁 Script executed:
sed -n '186,250p' scripts/compliance-audit.shRepository: petry-projects/.github
Length of output: 2532
🏁 Script executed:
rg -n 'petry-projects.*\.github' scripts/compliance-audit.sh | head -20Repository: petry-projects/.github
Length of output: 2479
🏁 Script executed:
rg -n '@v1|@main' scripts/compliance-audit.sh | grep -i 'filter\|exempt\|exclude'Repository: petry-projects/.github
Length of output: 48
🏁 Script executed:
sed -n '756,779p' standards/ci-standards.mdRepository: petry-projects/.github
Length of output: 1137
Add whitelist for petry-projects/.github reusable workflow tag refs to check_action_pinning().
The check_action_pinning() function currently lacks a filter to exempt petry-projects/.github/** reusable workflows tagged with @v1 or @main. Without this whitelist, the audit will flag these exempted refs as unpinned and create compliance PRs attempting to pin them to SHA, defeating the purpose of the exemption documented in ci-standards.md (lines 756–779). Update the grep filter to exclude petry-projects/.github/**@(v1|main) patterns.
🧰 Tools
🪛 LanguageTool
[uncategorized] ~758-~758: The official name of this software platform is spelled with a capital “H”.
Context: ... Reusable Workflow References Calls to petry-projects/.github reusable workflows use tag references ...
(GITHUB)
[uncategorized] ~770-~770: The official name of this software platform is spelled with a capital “H”.
Context: ...ic's OIDC token endpoint validates that .github/workflows/claude.yml on a PR branch is...
(GITHUB)
[uncategorized] ~775-~775: The official name of this software platform is spelled with a capital “H”.
Context: ...annot run on that PR. The @v1 tag on petry-projects/.github is managed deliberately (bumped only o...
(GITHUB)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@standards/ci-standards.md` around lines 756 - 779, The check_action_pinning()
audit currently flags tag refs for internal reusable workflows; update its
grep/filter logic so it explicitly excludes petry-projects/.github
reusable-workflow tag refs (e.g. patterns matching
petry-projects/.github/**@(v1|main)); modify the filter used in
check_action_pinning() to add a negative match or whitelist for
petry-projects/.github/**@(v1|main) so those tag refs are skipped and not
reported or used to create compliance PRs.
don-petry
force-pushed
the
fix/claude-oidc-immutability-standard
branch
3 times, most recently
from
4d9ee30 to
0de0ddc
Compare
There was a problem hiding this comment.
Pull request overview
Documents the Anthropic OIDC immutability constraint for .github/workflows/claude.yml, adds a small workflow trigger guard to reduce accidental breakage, and formalizes an exemption so compliance agents don’t open SHA-pinning PRs against immutable workflow stubs.
Changes:
- Expanded
claude.ymlstub header documentation and addedpaths-ignorefor PRs that only touch.github/workflows/claude.yml. - Updated CI standards to document the OIDC constraint and to exempt internal reusable workflow references from SHA pinning.
- Added an explicit, machine-readable workflow exemption list and documented it in agent standards.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
standards/workflows/claude.yml |
Documents the immutability constraint and adds a paths-ignore guard for PR-only edits to the workflow file. |
standards/workflow-exemptions.yml |
Introduces a canonical, machine-readable list of files agents must not modify. |
standards/ci-standards.md |
Adds OIDC constraint callout and a formal “internal reusable workflow refs” exemption to the pinning policy. |
standards/agent-standards.md |
Documents the compliance exemptions and links to the canonical exemptions YAML. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # NARROW GUARD: The paths-ignore setting (lines 38-39) under pull_request | ||
| # prevents the workflow from triggering only when the PR's entire changeset | ||
| # is limited to claude.yml alone. PRs that modify claude.yml *plus other | ||
| # files* will still trigger the workflow and hit the 401 error at token | ||
| # exchange. Other triggers (issue_comment, pull_request_review_comment, | ||
| # issues, check_run) are unaffected by paths-ignore and run as configured. |
There was a problem hiding this comment.
The header comment calls out specific line numbers for the paths-ignore block ("lines 38-39"), but those line numbers are already out of date. To avoid future drift/misleading guidance, consider removing the line-number reference and instead point to the on.pull_request.paths-ignore section (or update the reference).
| # NARROW GUARD: The paths-ignore setting (lines 38-39) under pull_request | |
| # prevents the workflow from triggering only when the PR's entire changeset | |
| # is limited to claude.yml alone. PRs that modify claude.yml *plus other | |
| # files* will still trigger the workflow and hit the 401 error at token | |
| # exchange. Other triggers (issue_comment, pull_request_review_comment, | |
| # issues, check_run) are unaffected by paths-ignore and run as configured. | |
| # NARROW GUARD: The on.pull_request.paths-ignore setting prevents the | |
| # workflow from triggering only when the PR's entire changeset is limited | |
| # to claude.yml alone. PRs that modify claude.yml *plus other files* will | |
| # still trigger the workflow and hit the 401 error at token exchange. | |
| # Other triggers (issue_comment, pull_request_review_comment, issues, | |
| # check_run) are unaffected by paths-ignore and run as configured. |
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (1)
standards/ci-standards.md (1)
243-247:⚠️ Potential issue | 🔴 CriticalCI is red: MD031 still unresolved on the OIDC callout fenced block.
Pipeline reports
MD031/blanks-around-fencesat lines 243 and 247. The previous review pointed this out and the language tag (```text) was added, but the required blank quoted lines (>) before/after the fence inside the blockquote are still missing.🛠️ Proposed fix
> Any diff — including SHA-pinning the `uses:` line, adding a trigger, or > changing a comment — causes the OIDC token exchange to fail: +> > ```text > App token exchange failed: 401 Unauthorized — Workflow validation failed. > The workflow file must exist and have identical content to the version > on the repository's default branch. > ``` +> > Claude Code will not run on that PR. Agents must not open PRs that modify🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@standards/ci-standards.md` around lines 243 - 247, The Markdown blockquote containing the OIDC callout needs blank quoted lines before and after the fenced code block to satisfy MD031; update the fenced block that begins with "```text" (and the surrounding ">" quoted lines) by inserting a line with just ">" immediately before the opening fence and another ">" line immediately after the closing "```" so the sequence is: "> " blank line, "> ```text" ... "> ```", "> " blank line, then the following quoted paragraph.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@standards/workflow-exemptions.yml`:
- Around line 1-15: The YAML file defines immutable_files but
scripts/compliance-audit.sh and the check_action_pinning() logic currently
ignore it, so enforce the exemption by having compliance-audit.sh (and any
auto-PR opener) read immutable_files[].path from
standards/workflow-exemptions.yml and skip/refuse checks/PRs against those
paths; implement this by adding a small parser call in check_action_pinning()
(e.g., use yq or grep+awk if yq is unavailable) to load the list, compare
changed file paths against immutable_files, and return a non-zero/skip result
with a clear message when a disallowed change targets an immutable path. Ensure
the code references "immutable_files" and "check_action_pinning()" so reviewers
can find where to update.
In `@standards/workflows/claude.yml`:
- Line 25: The "NARROW GUARD" comment referencing "paths-ignore setting (lines
38-39)" is stale; update the NARROW GUARD comment that references the
paths-ignore block so it no longer contains hard-coded line numbers
(recommended) or correct the numbers to match the current position of the
paths-ignore block; edit the comment text in the claude.yml NARROW GUARD section
to either remove the "(lines ...)" portion or replace it with a stable
description pointing to the "paths-ignore" block so future edits won't drift.
---
Duplicate comments:
In `@standards/ci-standards.md`:
- Around line 243-247: The Markdown blockquote containing the OIDC callout needs
blank quoted lines before and after the fenced code block to satisfy MD031;
update the fenced block that begins with "```text" (and the surrounding ">"
quoted lines) by inserting a line with just ">" immediately before the opening
fence and another ">" line immediately after the closing "```" so the sequence
is: "> " blank line, "> ```text" ... "> ```", "> " blank line, then the
following quoted paragraph.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: f62dff09-6830-467d-955a-d3c040812e6e
📒 Files selected for processing (4)
standards/agent-standards.mdstandards/ci-standards.mdstandards/workflow-exemptions.ymlstandards/workflows/claude.yml
| # Machine-readable compliance exemptions for agent-opened PRs | ||
| # Canonical source of truth for immutable workflow files | ||
| # Referenced by: agent-standards.md, compliance audit scripts | ||
| # | ||
| # DO NOT modify without human review. Agents must never open PRs against | ||
| # files listed below. | ||
|
|
||
| immutable_files: | ||
| - path: .github/workflows/claude.yml | ||
| reason: "OIDC invariant — any diff causes 401 Workflow validation failed" | ||
| requires_human_review: true | ||
|
|
||
| - path: .github/workflows/agent-shield.yml | ||
| reason: "Security boundary — agents cannot weaken security scanning" | ||
| requires_human_review: true |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Canonical source not yet consumed by scripts/compliance-audit.sh.
Per the relevant code snippets, scripts/compliance-audit.sh performs hard-coded workflow checks and does not parse this YAML. Until the audit script reads immutable_files[].path and refuses to flag/PR-against those paths, the file is documentation-only — agents that skip agent-standards.md will still attempt compliance PRs against claude.yml and re-trigger the same OIDC incident this PR is trying to prevent.
Recommend a follow-up to wire this file into check_action_pinning() (and any auto-PR opener) so the exemption is enforced at PR-open time, not just documented.
Want me to open a tracking issue for that follow-up, or sketch a minimal yq-based read in compliance-audit.sh?
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@standards/workflow-exemptions.yml` around lines 1 - 15, The YAML file defines
immutable_files but scripts/compliance-audit.sh and the check_action_pinning()
logic currently ignore it, so enforce the exemption by having
compliance-audit.sh (and any auto-PR opener) read immutable_files[].path from
standards/workflow-exemptions.yml and skip/refuse checks/PRs against those
paths; implement this by adding a small parser call in check_action_pinning()
(e.g., use yq or grep+awk if yq is unavailable) to load the list, compare
changed file paths against immutable_files, and return a non-zero/skip result
with a clear message when a disallowed change targets an immutable path. Ensure
the code references "immutable_files" and "check_action_pinning()" so reviewers
can find where to update.
| # refs are exempt from the Action Pinning Policy (ci-standards.md | ||
| # §Action Pinning Policy). The @v1 tag is the correct, stable reference. | ||
| # | ||
| # NARROW GUARD: The paths-ignore setting (lines 38-39) under pull_request |
There was a problem hiding this comment.
Stale line reference in NARROW GUARD comment.
The comment says paths-ignore setting (lines 38-39) but the actual paths-ignore block is at lines 45-46 in this file. Either remove the line numbers (recommended — they will drift again on any future edit and any change here invalidates the OIDC byte-for-byte invariant for downstream repos until @v1 is bumped) or correct them.
📝 Proposed fix
-# NARROW GUARD: The paths-ignore setting (lines 38-39) under pull_request
-# prevents the workflow from triggering only when the PR's entire changeset
-# is limited to claude.yml alone. PRs that modify claude.yml *plus other
-# files* will still trigger the workflow and hit the 401 error at token
-# exchange. Other triggers (issue_comment, pull_request_review_comment,
-# issues, check_run) are unaffected by paths-ignore and run as configured.
+# NARROW GUARD: The paths-ignore setting under `pull_request` (below)
+# prevents the workflow from triggering only when the PR's entire changeset
+# is limited to claude.yml alone. PRs that modify claude.yml *plus other
+# files* will still trigger the workflow and hit the 401 error at token
+# exchange. Other triggers (issue_comment, pull_request_review_comment,
+# issues, check_run) are unaffected by paths-ignore and run as configured.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # NARROW GUARD: The paths-ignore setting (lines 38-39) under pull_request | |
| # NARROW GUARD: The paths-ignore setting under `pull_request` (below) | |
| # prevents the workflow from triggering only when the PR's entire changeset | |
| # is limited to claude.yml alone. PRs that modify claude.yml *plus other | |
| # files* will still trigger the workflow and hit the 401 error at token | |
| # exchange. Other triggers (issue_comment, pull_request_review_comment, | |
| # issues, check_run) are unaffected by paths-ignore and run as configured. |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@standards/workflows/claude.yml` at line 25, The "NARROW GUARD" comment
referencing "paths-ignore setting (lines 38-39)" is stale; update the NARROW
GUARD comment that references the paths-ignore block so it no longer contains
hard-coded line numbers (recommended) or correct the numbers to match the
current position of the paths-ignore block; edit the comment text in the
claude.yml NARROW GUARD section to either remove the "(lines ...)" portion or
replace it with a stable description pointing to the "paths-ignore" block so
future edits won't drift.
Automated Compliance PR Status✓ Code fixes complete:
📋 Action Required:
Prepared by: Automated compliance reviewer |
don-petry
force-pushed
the
fix/claude-oidc-immutability-standard
branch
2 times, most recently
from
1adbe58 to
e708c3a
Compare
- Add language tag to markdown code fence in blockquote (fix lint) - Add blank line prefix to blockquote separator (fix MD028) - Clarify paths-ignore scope: only protects claude-only changesets - Document that other triggers are unaffected by paths-ignore - Create machine-readable exemption list (workflow-exemptions.yml) - Reference canonical source in agent-standards.md - Ready for human review and merge Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
don-petry
force-pushed
the
fix/claude-oidc-immutability-standard
branch
from
e708c3a to
04964b7
Compare
Resolves YAML linting error: new-line-at-end-of-file Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
|
don-petry
left a comment
don-petry
left a comment
There was a problem hiding this comment.
Automated review — NEEDS HUMAN REVIEW
Risk: LOW
Reviewed commit: 46ae7a63ea26d669a7632b9116a53ee892b8f9f4
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)
Summary
This PR documents a real OIDC incident and adds sound guardrails (paths-ignore, exemption list, standards prose). CI is fully green and there are no security concerns. However, the PR cannot be approved because it carries an outstanding CHANGES_REQUESTED review decision from CodeRabbit with unresolved minor issues (MD031 lint formatting, unenforced machine-readable exemption list, stale line references in comments).
Findings
Minor
- [minor]
(no file)— PR review decision is CHANGES_REQUESTED. The latest CodeRabbit review (on commit96c10cbd) flagged MD031 linting inci-standards.md(blanks around fenced code block inside blockquote), unenforcedworkflow-exemptions.json, and stale hard-coded line numbers inclaude.yml. These were not resolved in the final commit (46ae7a63, which only added a missing newline toauto-rebase.yml). - [minor]
standards/agent-standards.md:20— File naming mismatch: PR description, CodeRabbit walkthrough, andagent-standards.mdreferencestandards/workflow-exemptions.yml(YAML), but the file actually created isstandards/workflow-exemptions.json(JSON). References inagent-standards.mdpoint toworkflow-exemptions.json, which is consistent with the actual file — but the PR description and CodeRabbit summary are misleading. - [minor]
standards/workflow-exemptions.json:1—workflow-exemptions.jsonis purely declarative — it is not wired into any compliance script (scripts/compliance-audit.sh,check_action_pinning(), or any PR-opener). Agents currently rely solely on prose documentation to avoid touching these files. The machine-readable file provides no actual enforcement until automation reads it. - [minor]
standards/workflows/claude.yml:25— TheNARROW GUARDcomment referenceslines 38-39as hard-coded line numbers. As the file evolves these will become stale. CodeRabbit flagged this in its second review.
Info
- [info] All CI checks pass: Lint (SUCCESS), ShellCheck (SUCCESS), Agent Security Scan (SUCCESS), CodeQL (SUCCESS), SonarCloud (0 issues, 0 security hotspots), Dependency audit (SUCCESS). No CI gate failures.
- [info] Changes are standards documentation and workflow template only — no production code, no secrets, no credentials, no database migrations, no
shell=Trueorevalpatterns, no GitHub Actions permission escalations. Thepaths-ignoreaddition inclaude.ymlis additive and correctly scoped. - [info] The
paths-ignoreguard correctly preventsclaude.ymlfrom triggering on PRs whose entire changeset is limited toclaude.yml. The header comment explicitly documents the known limitation: PRs modifyingclaude.ymlplus other files will still trigger and hit the 401 at token exchange. This is accurate and well-documented.
CI status
All CI checks pass: Lint, ShellCheck, Agent Security Scan, CodeQL, SonarCloud (0 issues, 0 security hotspots), Dependency audit.
Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.
Review — fix requested (cycle 1/3)The automated review identified the following issues. Please address each one: Findings to fix
Additional tasks
The review cascade will automatically re-review after new commits are pushed. |
…ate-github check (#165) The check incorrectly flagged petry-projects/.github/.github/workflows/ as invalid, but this is the CORRECT pattern per GitHub's reusable workflow syntax: - First .github = repository name - Second .github/workflows = directory path within that repository This check was producing false positives across all repos: - petry-projects/TalkTerm (issues #131, #130, #129) - petry-projects/broodly (issues #159, #158) - petry-projects/google-app-scripts (issues #226, #225) - petry-projects/ContentTwin (issues #111, #110) - petry-projects/markets (issues #137, #136) - petry-projects/bmad-bgreat-suite (issues #123, #122) Disable the check to reduce compliance audit noise and prevent auto-issue creation for valid patterns. Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
Summary
Documents the Anthropic OIDC invariant that caused a multi-repo incident on 2026-04-19/20, adds structural guards, and closes the policy gap that caused compliance agents to open PRs modifying
claude.yml.Root cause of incident
Agent-generated compliance PRs (SHA-pinning the
uses:line inclaude.yml) produced PR branches whereclaude.ymldiffered frommain. Anthropic's OIDC token endpoint rejected these with401 Workflow validation failed, preventing Claude Code from running on those PRs. A human fix attempt merged a broken path, requiring an emergency revert across 4 repos.Changes
standards/workflows/claude.yml— Expands the AGENTS header to explain the OIDC constraint and addspaths-ignore: ['.github/workflows/claude.yml']to prevent the workflow from firing on PRs that only change this file (structural self-enforcement).standards/ci-standards.md— Adds an OIDC constraint callout to §4 (Claude Code) and a new "Exception: Internal Reusable Workflow References" subsection to the Action Pinning Policy, explicitly exempting internal reusable workflow refs from SHA pinning.standards/agent-standards.md— Adds a "Compliance Exemptions" section listingclaude.ymlandagent-shield.ymlas files agents must never open PRs against, with the reason documented.Follow-up (separate)
Close the 4 stale open SHA-pinning PRs in markets, ContentTwin, TalkTerm, and bmad-bgreat-suite with a comment pointing to this standards update.
Summary by CodeRabbit