fix(compliance): disable false positive reusable-workflow-path-duplicate-github check#164
fix(compliance): disable false positive reusable-workflow-path-duplicate-github check#164don-petry wants to merge 3 commits into
Conversation
Add gitleaks secret scanning as §4 of the required CI workflows and document: - Why organization repositories require a license (free tier available) - How to obtain and configure the GITLEAKS_LICENSE secret - Standard workflow configuration with environment variable setup - Common failure modes and troubleshooting Update organization-level secrets table to include GITLEAKS_LICENSE. Renumber subsequent sections (5-8 become 6-9) for correct ordering.
…can job spec - Add blank line before code fence in numbered list (MD031 fix) - Reference canonical secret-scan job definition in push-protection.md - Highlight GITLEAKS_LICENSE requirement for organization repositories - Keep license setup and troubleshooting documentation The canonical job specification in push-protection.md#layer-3 is the single source of truth. This change ensures we document the organization-specific GITLEAKS_LICENSE requirement without duplicating the job YAML. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…ath-duplicate-github The check incorrectly flagged petry-projects/.github/.github/workflows/ as invalid, but this is the CORRECT pattern per org standards: - First .github = repository name - Second .github/workflows = directory path within that repository GitHub reusable workflows require this double-segment syntax. This check was producing false positives across all repos. Disable it to reduce noise in compliance audits and prevent automated issue creation for valid patterns. Affected repos: TalkTerm, broodly, google-app-scripts, ContentTwin, markets, bmad-bgreat-suite Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
📝 WalkthroughWalkthroughDisabled a reusable workflow path audit check in the compliance script and added required gitleaks secret scanning documentation to CI standards, including Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
standards/ci-standards.md (1)
490-499: 🧹 Nitpick | 🔵 TrivialSection numbering is inconsistent after renumbering.
AgentShieldis now### 8, butAuto-Rebaseis also still### 8. This should be renumbered to keep headings and cross-references unambiguous.Suggested doc-numbering cleanup
-### 8. Auto-Rebase (`auto-rebase.yml`) +### 9. Auto-Rebase (`auto-rebase.yml`) @@ -### 9. Feature Ideation (`feature-ideation.yml`) — BMAD Method repos +### 10. Feature Ideation (`feature-ideation.yml`) — BMAD Method repos🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@standards/ci-standards.md` around lines 490 - 499, The section headings are misnumbered: "AgentShield" is labeled "### 8" and "Auto-Rebase" is also "### 8"; update the markdown headings so numbering progresses correctly (e.g., change "Auto-Rebase" to "### 9"), and scan nearby headings to ensure the sequence after "AgentShield" (and any subsequent headings) is consistent; also update any internal cross-references or mentions of `agent-shield.yml` and `auto-rebase.yml` (and the table of contents if present) so they reflect the corrected numbering.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@standards/ci-standards.md`:
- Around line 243-245: Update the canonical job specification in
push-protection.md (the "Layer 3: CI Secret Scanning" snippet) to include the
required GITLEAKS_LICENSE environment variable or add an explicit note in
standards/ci-standards.md that the canonical block must be extended with
GITLEAKS_LICENSE for org repos; specifically edit the job snippet referenced by
"Layer 3: CI Secret Scanning" to add the GITLEAKS_LICENSE env entry (or an
adjacent comment) so teams copying the canonical template won't miss the
required license variable.
---
Outside diff comments:
In `@standards/ci-standards.md`:
- Around line 490-499: The section headings are misnumbered: "AgentShield" is
labeled "### 8" and "Auto-Rebase" is also "### 8"; update the markdown headings
so numbering progresses correctly (e.g., change "Auto-Rebase" to "### 9"), and
scan nearby headings to ensure the sequence after "AgentShield" (and any
subsequent headings) is consistent; also update any internal cross-references or
mentions of `agent-shield.yml` and `auto-rebase.yml` (and the table of contents
if present) so they reflect the corrected numbering.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: d29af8c4-b297-449a-9155-96cf30184f15
📒 Files selected for processing (2)
scripts/compliance-audit.shstandards/ci-standards.md
| **Standard configuration:** See the canonical job specification in | ||
| [`push-protection.md` — Layer 3: CI Secret Scanning](push-protection.md#layer-3--ci-secret-scanning-secondary-defense). | ||
|
|
There was a problem hiding this comment.
Cross-doc config drift: canonical secret-scan reference omits the now-required org license env.
This section points readers to push-protection.md as the canonical job config, but that canonical snippet currently lacks GITLEAKS_LICENSE. Teams copying only the canonical block can still hit the exact failure you describe. Please sync the canonical template (or explicitly state here that the canonical block must be extended for org repos).
Also applies to: 246-255
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@standards/ci-standards.md` around lines 243 - 245, Update the canonical job
specification in push-protection.md (the "Layer 3: CI Secret Scanning" snippet)
to include the required GITLEAKS_LICENSE environment variable or add an explicit
note in standards/ci-standards.md that the canonical block must be extended with
GITLEAKS_LICENSE for org repos; specifically edit the job snippet referenced by
"Layer 3: CI Secret Scanning" to add the GITLEAKS_LICENSE env entry (or an
adjacent comment) so teams copying the canonical template won't miss the
required license variable.
|
Closing in favor of #165 which is based on latest main |
Pull request was closed
There was a problem hiding this comment.
Pull request overview
This PR aims to reduce compliance-audit noise by disabling a false-positive check around GitHub reusable workflow uses: path syntax (the valid petry-projects/.github/.github/workflows/... pattern).
Changes:
- Disables
check_reusable_workflow_paths()inscripts/compliance-audit.shand documents why the double.github/segment is valid. - Adds a new “Secret Scanning (gitleaks)” section and updates the org secret list in
standards/ci-standards.md. - Renumbers several “Required Workflows” subsections in
standards/ci-standards.md.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
scripts/compliance-audit.sh |
Disables the reusable-workflow path check and adds explanatory comments. |
standards/ci-standards.md |
Adds/updates documentation (secret scanning + renumbered required-workflow sections + secret list entry). |
Comments suppressed due to low confidence (1)
standards/ci-standards.md:500
- Section numbering is now inconsistent:
AgentShieldis labeled### 8, but the next sectionAuto-Rebaseis also labeled### 8. Please renumberAuto-Rebase(and any subsequent sections) to keep unique, sequential section numbers.
### 8. AgentShield (`agent-shield.yml`)
Agent configuration security validation. Checks that CLAUDE.md and
AGENTS.md exist and follow standards, scans for secrets in agent config
files, validates SKILL.md frontmatter, and detects permission bypasses.
See [`workflows/agent-shield.yml`](workflows/agent-shield.yml) and the
[Agent Configuration Standards](agent-standards.md) for full details.
### 8. Auto-Rebase (`auto-rebase.yml`)
Keeps open non-Dependabot PRs up-to-date with the base branch.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Reference: https://docs.github.com/en/actions/using-workflows/reusing-workflows | ||
| # Example: uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@v1 | ||
| check_reusable_workflow_paths() { | ||
| local repo="$1" |
There was a problem hiding this comment.
check_reusable_workflow_paths now declares local repo="$1" but never uses it. This triggers ShellCheck SC2034 (unused variable) and will fail the ShellCheck CI job. Remove the unused variable assignment (or explicitly disable SC2034 for that line) so the script passes linting.
| local repo="$1" |
| **Organization repos only — GITLEAKS_LICENSE requirement:** | ||
|
|
||
| When adding the `secret-scan` job to an organization repository's `ci.yml`, you **must** | ||
| pass the `GITLEAKS_LICENSE` secret to the gitleaks action: | ||
|
|
||
| ```yaml | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | ||
| ``` | ||
|
|
||
| Without this environment variable, gitleaks will fail with "missing gitleaks license" | ||
| when scanning in an organization context. | ||
|
|
||
| **Required secrets:** `GITLEAKS_LICENSE` (org-level, organization repositories only) | ||
|
|
||
| **License requirement:** Gitleaks is free for open-source, but organization scans | ||
| require a valid license. Obtain a free license at [gitleaks.io](https://gitleaks.io). | ||
|
|
||
| **License setup:** | ||
|
|
||
| 1. Create or log into your account at [gitleaks.io](https://gitleaks.io) | ||
| 2. Generate a free license key for your organization | ||
| 3. Add the license as the org-level secret `GITLEAKS_LICENSE`: | ||
|
|
||
| ```bash | ||
| gh secret set GITLEAKS_LICENSE --org petry-projects --body "<license-key>" | ||
| ``` | ||
|
|
||
| **For personal/user repos:** The `GITLEAKS_LICENSE` environment variable is optional. | ||
| If omitted, gitleaks runs in open-source mode (free, no license needed). | ||
|
|
There was a problem hiding this comment.
This new section asserts that gitleaks requires GITLEAKS_LICENSE for organization repos and that runs will fail without it, but the canonical CI job in standards/push-protection.md does not set or mention GITLEAKS_LICENSE at all (it only passes GITHUB_TOKEN). Please reconcile these standards (either update push-protection.md + the canonical job spec accordingly, or remove/correct the license requirement here) to avoid misleading adopters.
| **Organization repos only — GITLEAKS_LICENSE requirement:** | |
| When adding the `secret-scan` job to an organization repository's `ci.yml`, you **must** | |
| pass the `GITLEAKS_LICENSE` secret to the gitleaks action: | |
| ```yaml | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | |
| ``` | |
| Without this environment variable, gitleaks will fail with "missing gitleaks license" | |
| when scanning in an organization context. | |
| **Required secrets:** `GITLEAKS_LICENSE` (org-level, organization repositories only) | |
| **License requirement:** Gitleaks is free for open-source, but organization scans | |
| require a valid license. Obtain a free license at [gitleaks.io](https://gitleaks.io). | |
| **License setup:** | |
| 1. Create or log into your account at [gitleaks.io](https://gitleaks.io) | |
| 2. Generate a free license key for your organization | |
| 3. Add the license as the org-level secret `GITLEAKS_LICENSE`: | |
| ```bash | |
| gh secret set GITLEAKS_LICENSE --org petry-projects --body "<license-key>" | |
| ``` | |
| **For personal/user repos:** The `GITLEAKS_LICENSE` environment variable is optional. | |
| If omitted, gitleaks runs in open-source mode (free, no license needed). | |
| **Configuration source of truth:** | |
| The `secret-scan` job must match the canonical configuration in | |
| [`push-protection.md`](push-protection.md#layer-3--ci-secret-scanning-secondary-defense). | |
| Do not add extra required secrets or environment variables unless they are also | |
| specified there. | |
| At present, this standard does **not** impose a separate organization-only | |
| requirement to pass `GITLEAKS_LICENSE`. If gitleaks licensing or authentication | |
| requirements change in the future, update the canonical job specification in | |
| `push-protection.md` first, then mirror that guidance here. | |
| **Required secrets:** Use only the secrets required by the canonical job | |
| definition in `push-protection.md`. | |
| **Note:** If you encounter a repository or vendor-specific need for additional | |
| gitleaks configuration, treat that as a standards update task rather than local | |
| repo drift. |
| and the [Dependabot Policy](dependabot-policy.md). | ||
|
|
||
| ### 7. AgentShield (`agent-shield.yml`) | ||
| ### 8. AgentShield (`agent-shield.yml`) |
There was a problem hiding this comment.
Renumbering the required-workflow headings changes the generated Markdown anchors (e.g. Claude Code was previously referenced as #4-claude-code-claudeyml in multiple workflow headers and scripts). With Claude now labeled §5 and subsequent sections shifted, those in-repo links become stale (for example .github/workflows/claude.yml and scripts/compliance-audit.sh still reference the old anchors). Either keep the existing section numbers/anchors stable or update all inbound references in the repo to the new anchors.
| ### 8. AgentShield (`agent-shield.yml`) | |
| ### 8A. AgentShield (`agent-shield.yml`) |
| ### 4. Secret Scanning (`ci.yml` — gitleaks job) | ||
|
|
||
| Secret detection via the gitleaks action. This job **must be added to the CI pipeline** | ||
| for all organization repositories. The job scans commit history for hardcoded secrets, | ||
| API keys, and other sensitive data. | ||
|
|
||
| **Why a separate job?** Gitleaks requires a license key when scanning organization | ||
| repositories (free for open-source). The job is part of the main `ci.yml` pipeline | ||
| but documented separately to clarify the licensing requirement. | ||
|
|
||
| **Standard configuration:** See the canonical job specification in | ||
| [`push-protection.md` — Layer 3: CI Secret Scanning](push-protection.md#layer-3--ci-secret-scanning-secondary-defense). | ||
|
|
||
| **Organization repos only — GITLEAKS_LICENSE requirement:** | ||
|
|
||
| When adding the `secret-scan` job to an organization repository's `ci.yml`, you **must** | ||
| pass the `GITLEAKS_LICENSE` secret to the gitleaks action: | ||
|
|
||
| ```yaml | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | ||
| ``` | ||
|
|
||
| Without this environment variable, gitleaks will fail with "missing gitleaks license" | ||
| when scanning in an organization context. | ||
|
|
||
| **Required secrets:** `GITLEAKS_LICENSE` (org-level, organization repositories only) |
There was a problem hiding this comment.
The PR description/title focus on disabling the false-positive reusable-workflow-path check and documenting the .github/.github reusable-workflow pattern, but this hunk introduces a new numbered “Secret Scanning (gitleaks)” section and adds GITLEAKS_LICENSE to the org secrets list. If this is intentional, please update the PR description to reflect the additional scope; otherwise, consider splitting the secret-scanning documentation into a separate PR.
Summary
Disables a false-positive compliance audit check that incorrectly flags the correct GitHub reusable workflow reference pattern.
Issue: The compliance audit was flagging
petry-projects/.github/.github/workflows/...as incorrectRoot cause: The check didn't account for GitHub's reusable workflow syntax where the first segment is the repo name and the second is the path within that repo
Solution: Disable the check and document why the double
.github/pattern is correct per org standardsAffected Repositories
This fix prevents false-positive compliance issues across 6 repos:
Changes
check_reusable_workflow_paths()inscripts/compliance-audit.shReference
GitHub Reusable Workflows: https://docs.github.com/en/actions/using-workflows/reusing-workflows
Correct pattern:
uses: petry-projects/.github/.github/workflows/workflow-name.yml@v1Summary by CodeRabbit
Documentation
Chores