fix(standards): pin auto-rebase stub to SHA to satisfy SonarCloud security gate

[don-petry]

Summary

• Updates the canonical auto-rebase.yml stub in standards/workflows/ to use SHA-pinned format with version comment instead of the mutable @v1 tag
• Before: @v1 (mutable tag — SonarCloud Security Hotspot)
• After: @126c1441ee9cf040f2ce3ef0eda85d459b82f8e9 # v1 (immutable SHA + readable version comment)
• The SHA and the v1 tag resolve to the same commit — this is a reference format change only

Why

The previous canonical stub used @v1. Repos adopting this stub (e.g. bmad-bgreat-suite PR #129) were passing the non-stub-auto-rebase.yml compliance check but failing the SonarCloud security gate, which flags mutable tag references in uses: lines as Security Hotspots (supply-chain risk).

SHA-pinned references satisfy both:

• Compliance: the canonical stub is authoritative, repos that match it pass
• SonarCloud: immutable SHA refs are not flagged as hotspots

Follow-up

Once this merges, bmad-bgreat-suite PR #129's branch will be updated to @SHA # v1 to match the new canonical stub and clear its SonarCloud failure.

Test plan

• non-stub-auto-rebase.yml compliance check passes (stub matches updated template)
• SonarCloud passes on adopting repos

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Improved build stability by pinning the reusable workflow reference to a fixed commit SHA instead of a moving tag.

• Chores

  • Updated compliance checks to accept SHA-pinned reusable-workflow stubs (preferred) while still allowing legacy tag pins.

• Documentation

  • CI guidance revised to prefer SHA-pinned reusable workflow references, retaining compatibility with the legacy tag.

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 53 minutes and 39 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8718cdb2-a9bc-48de-b327-18741b81cafa

📥 Commits

Reviewing files that changed from the base of the PR and between b992166 and d5a34c5.

📒 Files selected for processing (3)

• scripts/compliance-audit.sh
• standards/ci-standards.md
• standards/workflows/auto-rebase.yml

📝 Walkthrough

Walkthrough

Pins the reusable workflow reference used by the auto-rebase job from the moving tag @v1 to a fixed commit SHA; updates the compliance audit script and CI standards docs to prefer SHA-pinned reusable workflow stubs while still accepting @v1. No other runtime behavior changes.

Changes

Workflow Pinning

Layer / File(s)	Summary
Data / Config standards/workflows/auto-rebase.yml	uses: reference changed from @v1 to @126c1441ee9cf040f2ce3ef0eda85d459b82f8e9.
Documentation standards/ci-standards.md	Guidance updated to prefer SHA-pinned reusable workflow caller stubs, while still accepting @v1 for backwards compatibility.

Compliance Audit & Detection

Layer / File(s)	Summary
Policy Text scripts/compliance-audit.sh (comments around lines ~637-654)	Rule description updated to state tier-1 caller stubs must delegate using either a 40-hex SHA (preferred) or @v1 (legacy).
Detection Logic scripts/compliance-audit.sh (function check_centralized_workflow_stubs, ~699-727)	Validation broadened to accept uses: pinned to a full 40-hex commit SHA or @v1; non-compliance classification adjusted to distinguish non-SHA/non-@v1 pins vs non-canonical or inline copies.
Remediation Message scripts/compliance-audit.sh (~728-730)	Remediation text updated to instruct replacement with canonical stub delegating via a SHA-pinned uses: reference.
Tests / Other (no test changes)	No test files were changed in this PR.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Compliance: unpinned-actions-auto-rebase.yml TalkTerm#144: Related — concerns unpinned auto-rebase.yml references addressed by this PR.
• Compliance: unpinned-actions-auto-rebase.yml broodly#167: Related — flags compliance for workflow pinning which this PR updates.
• Compliance: non-stub-auto-rebase.yml bmad-bgreat-suite#128: Related — raises non-@v1 pinning/compliance that this PR resolves.

Possibly related PRs

• petry-projects/.github#89: Modifies the same compliance check (check_centralized_workflow_stubs) that originally required @v1; this PR extends that logic to accept SHA pins.
• feat: add weekly compliance audit workflow #12: Related — earlier changes to compliance-audit.sh around centralized workflow stub detection.
• docs: add CI/CD standards and workflow patterns #11: Related — prior edits to CI standards about workflow pinning and tiers.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the primary change: pinning the auto-rebase stub to a SHA commit instead of a mutable tag to satisfy SonarCloud security requirements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/auto-rebase-stub-sha-pin

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the canonical auto-rebase.yml thin-stub workflow to reference the reusable workflow via an immutable commit SHA (with a # v1 comment) instead of the mutable @v1 tag, to satisfy SonarCloud’s security gate.

Changes:

• Replaced uses: ...@v1 with uses: ...@<sha> # v1 in the auto-rebase.yml standards stub.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This change updates the canonical stub to a SHA-pinned uses: reference, but the compliance audit still hard-codes @v1 as the only acceptable pattern (see scripts/compliance-audit.sh check_centralized_workflow_stubs, which matches ...@v1 exactly). As-is, repos that adopt this updated stub will be flagged as non-compliant. Update the audit check to accept the SHA-pinned form (optionally with a trailing # v1 comment) or to compare against the canonical stub content instead of @v1.

[Copilot]

Documentation now becomes stale: standards/ci-standards.md currently states the canonical stub delegates to .../auto-rebase-reusable.yml@v1 (around line 514), but this file now uses a SHA. Please update the doc reference to match the new canonical format so adopters and the standard remain consistent.

Suggested change

	uses: petry-projects/.github/.github/workflows/auto-rebase-reusable.yml@126c1441ee9cf040f2ce3ef0eda85d459b82f8e9 # v1
	uses: petry-projects/.github/.github/workflows/auto-rebase-reusable.yml@126c1441ee9cf040f2ce3ef0eda85d459b82f8e9 # pinned SHA

[don-petry]

@claude Please address all open review comments on this PR from CodeRabbit and Copilot.

[claude]

Claude finished @don-petry's task in 2m 25s —— View job

---

Addressing Copilot Review Comments

• Gather context and analyze review comments
• Read scripts/compliance-audit.sh — check_centralized_workflow_stubs hard-coded @v1
• Read standards/ci-standards.md — line 514 referenced @v1
• Update compliance-audit.sh to accept SHA-pinned format
• Update ci-standards.md to reflect new canonical SHA-pinned format
• Commit and push changes

---

Both Copilot issues are resolved in commit fe3a291:

1. scripts/compliance-audit.sh — check_centralized_workflow_stubs

Updated to accept two canonical forms:

• SHA-pinned (preferred): @<40-hex-SHA> — satisfies SonarCloud's supply-chain security gate
• @v1 tag (legacy): still accepted for backwards compatibility

The function comment block, the compliance logic, and the add_finding error message were all updated. Repos adopting the updated SHA-pinned stub will now pass the compliance audit.

2. standards/ci-standards.md line 514

Updated the @v1 reference to document the preferred SHA-pinned format with an example (@126c1441ee9cf040f2ce3ef0eda85d459b82f8e9 # v1) and a note that @v1 is still accepted for backwards compatibility.

Note: The Copilot suggestion to change the inline comment from # v1 to # pinned SHA was not applied — # v1 is more informative for readers (it conveys the semantic version, not just that pinning was done).
· Branch

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/compliance-audit.sh`:
- Around line 711-716: The check_centralized_workflow_stubs routine currently
treats any 40-hex SHA as acceptable (the grep using ${base}@[0-9a-f]{40}), which
allows stale SHAs to pass; instead, load the canonical `uses:` reference (exact
string including the expected SHA) from standards/workflows/${wf} (or an
explicit expected-SHA map) and compare decoded lines exactly against that
canonical reference (or map entry) rather than accepting any SHA-shaped value;
update the logic around the checks that use variables decoded and base in
check_centralized_workflow_stubs to read the canonical expected value and only
continue when decoded matches that exact canonical `uses:` reference.

In `@standards/ci-standards.md`:
- Line 514: The standards text is contradictory about pinning reusable workflow
refs: update the policy so a single unambiguous rule is stated (e.g.,
"SHA-pinned refs are preferred; `@v1/`@main are allowed only for backwards
compatibility"), reconcile the paragraph for check_centralized_workflow_stubs
and the auto-rebase.yml guidance to match that rule, explicitly call out any
per-workflow exceptions (e.g., claude.yml) and where to use tag-based refs, and
update examples that reference
petry-projects/.github/.github/workflows/auto-rebase-reusable.yml and `@v1/`@main
to follow the unified wording.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2752d557-3598-4291-a2bd-9865303ded91

📥 Commits

Reviewing files that changed from the base of the PR and between e39fa2f and b992166.

📒 Files selected for processing (2)

• scripts/compliance-audit.sh
• standards/ci-standards.md

[don-petry]

@claude This PR has 4 unresolved review threads. The two Copilot threads from 2026-04-28 predate the claude.yml comment-trigger; the two CodeRabbit threads from 2026-05-07 came in after but weren't addressed. Please:

1. discussion_r3155524944 (Copilot, standards/workflows/auto-rebase.yml:41): the canonical stub is now SHA-pinned, but scripts/compliance-audit.sh::check_centralized_workflow_stubs matches …@v1 exactly. Update the audit check to accept the SHA-pinned form (optionally with a trailing # v1 comment) or compare against the canonical stub content.
2. discussion_r3155524987 (Copilot, doc): standards/ci-standards.md (~line 514) still states the canonical stub uses …@v1. Update the doc to match the SHA-pinned canonical.
3. discussion_r3198464700 (CodeRabbit, scripts/compliance-audit.sh:711-716): the routine accepts any 40-hex SHA, allowing stale-SHA drift past the audit. Compare against the canonical uses: reference loaded from standards/workflows/${wf} instead.
4. discussion_r3198464702 (CodeRabbit, standards/ci-standards.md:514): the policy text contradicts other sections (some say SHA-pinned reusables preferred, others say @v1/@main). Pick a single rule, call out per-workflow exceptions (e.g. claude.yml), and update examples to match.

Push the changes and resolve the threads.

---

Generated by Claude Code

[claude]

Claude finished @don-petry's task in 13m 34s —— View job

---

Addressing 4 unresolved review threads

• Gather context and read relevant files
• Addressing PR comments #1 (Copilot) — already resolved by commit fe3a291 (previous run)
• Add multi-agent isolation strategy using git worktrees #2 (Copilot) — already resolved by commit fe3a291 (previous run)
• Add coding standards & principles section to AGENTS.md #3 (CodeRabbit) compliance-audit.sh:711-716 — fixed: now loads canonical SHA from standards/workflows/${wf} via the GitHub API and compares exactly, instead of accepting any 40-hex SHA. Stale-pinned repos get an actionable "stale SHA" error message. Falls back to accepting any SHA on API failure to avoid false positives.
• Add workflow, environment, and orchestration guidance #4 (CodeRabbit) ci-standards.md — fixed: Tier 1 table row updated to describe SHA-pinned as the canonical form with @v1 as legacy-accepted; the "Why pin to @v1?" callout replaced with a "Stub reference pinning" note that covers both forms, explains why @main is not used, and describes the compliance-audit drift-detection loop.
• Commit created locally (4e0bb22)
• Push — blocked (see below)

---

Push failed — action needed

The push was rejected because the auto-rebase workflow fired during this run (a Dependabot bump merged to main), pushing new merge commits to the remote branch. This made my commit non-fast-forward. The claude job in claude-code-reusable.yml has no --allowedTools entry for git pull/git fetch, so I can't integrate the remote changes before pushing.

Fix: add Bash(git pull:*) to the claude job's allowed tools:

# In .github/workflows/claude-code-reusable.yml, claude job, Run Claude Code step:
claude_args: |
  --allowedTools "Bash(git pull:*)"

Then re-trigger with @claude <same request> — the new run will git pull, re-apply the same fixes, and push successfully.

---

Changes ready to apply (commit 4e0bb22)

scripts/compliance-audit.sh — load canonical SHA from stub, detect stale-SHA drift

-    local expected="petry-projects/\\.github/\\.github/workflows/${reusable}\\.yml@v1"
-
-    if echo "$decoded" | grep -qE "^[[:space:]]*uses:[[:space:]]*${expected}([[:space:]]|$)"; then
-      continue  # stub is correctly pinned to @v1 — compliant
+    # Anchor to start-of-line so a `# uses: ...` comment cannot satisfy the check.
+    # Accepted canonical forms:
+    #   1. SHA-pinned to the current canonical SHA (preferred, satisfies SonarCloud):
+    #   2. @v1 mutable tag (legacy, still accepted for backwards compatibility):
+    local base="petry-projects/\\.github/\\.github/workflows/${reusable}\\.yml"
+
+    local canonical_sha=""
+    local canonical_raw
+    canonical_raw=$(gh_api "repos/$ORG/.github/contents/standards/workflows/$wf" \
+      --jq '.content' 2>/dev/null || echo "")
+    if [ -n "$canonical_raw" ]; then
+      canonical_sha=$(echo "$canonical_raw" | base64 -d 2>/dev/null \
+        | grep -E "^[[:space:]]*uses:" | grep -oE "[0-9a-f]{40}" | head -1 || true)
     fi
 
+    if [ -n "$canonical_sha" ]; then
+      if echo "$decoded" | grep -qE "^[[:space:]]*uses:[[:space:]]*${base}@${canonical_sha}([[:space:]]|$)"; then
+        continue  # Pinned to the canonical current SHA — compliant
+      fi
+    else
+      if echo "$decoded" | grep -qE "^[[:space:]]*uses:[[:space:]]*${base}@[0-9a-f]{40}([[:space:]]|$)"; then
+        continue  # Fallback: accept any SHA on API failure
+      fi
+    fi
+    if echo "$decoded" | grep -qE "^[[:space:]]*uses:[[:space:]]*${base}@v1([[:space:]]|$)"; then
+      continue  # @v1 tag reference — compliant (SHA-pinned preferred)
+    fi
+
     local why
-    if echo "$decoded" | grep -qE "^[[:space:]]*uses:[[:space:]]*petry-projects/...@"; then
-      why="references the reusable but is not pinned to \`@v1\`"
+    if [ -n "$canonical_sha" ] && echo "$decoded" | grep -qE "...@[0-9a-f]{40}"; then
+      why="is pinned to a stale SHA — re-sync from \`standards/workflows/${wf}\` to adopt the current SHA (\`${canonical_sha}\`)"
+    elif ...; then
+      why="references the reusable but is not pinned to the canonical commit SHA or \`@v1\`"

standards/ci-standards.md — reconcile contradictory policy text

Tier 1 table — updated "What lives in standards/workflows/" to say SHA-pinned is canonical, @v1 is legacy:

A thin caller stub that delegates via a SHA-pinned uses: reference (e.g. @<sha> # v1). @v1 is accepted for backwards compatibility.

Pinning callout — replaced "Why pin to @v1?" with:

Stub reference pinning — Canonical stubs delegate via an immutable commit SHA (e.g. @<sha> # v1) rather than a mutable tag. SHA-pinned refs are preferred because SonarCloud flags mutable tag references in uses: lines as Security Hotspots (supply-chain risk). The @v1 tag is accepted for backwards compatibility but SHA-pinned is the canonical form. Neither uses @main directly...

---

· Branch

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[donpetry-bot]

Superseded by automated re-review at 60f33db53ed3870683f439c65202b28894d23877 — click to expand prior review.

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[donpetry-bot]

Review — fix requested (cycle 2/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

@dev-lead - please fix this PR

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push