fix(compliance): address 2026-05-12 audit findings for .github repo

[don-petry]

Summary

Addresses compliance audit findings for the .github repo from the 2026-05-12 audit (issue #256).

Changes

• ci.yml: Add secret-scan job running gitleaks in full-history mode — resolves secret_scan_ci_job_present error
• dependency-audit.yml: Pin dtolnay/rust-toolchain@stable to commit SHA 29eef336 — resolves unpinned-actions-dependency-audit.yml error
• scripts/compliance-audit.sh: Exempt petry-projects/.github internal reusable workflow refs from SHA-pinning check — resolves false-positive findings for agent-shield.yml, claude.yml, dependabot-automerge.yml (these use @v1/@main tags which are exempt per ci-standards.md#action-pinning-policy)

Settings Applied via API

• dependabot_security_updates: enabled (was disabled)

Remaining Items (require admin PAT via apply-repo-settings.sh)

These settings could not be changed with the current token (require classic PAT with repo scope or org admin):

• secret_scanning_ai_detection: requires GHAS/org admin token
• secret_scanning_non_provider_patterns: requires GHAS/org admin token
• check-suite-auto-trigger-1236702 (Claude): requires classic PAT
• check-suite-auto-trigger-347564 (CodeRabbit): requires classic PAT

Run GH_TOKEN=<admin-pat> bash scripts/apply-repo-settings.sh .github to apply these.

Stale Findings (already resolved on main)

• allow_auto_merge: already true — stale finding
• delete_branch_on_merge: already true — stale finding
• CODEOWNERS codeowners-org-leads-not-first / codeowners-no-catchall: already correct (* @petry-projects/org-leads) — stale finding

Closes #256

Generated with Claude Code

Summary by CodeRabbit

Release Notes

• Chores
  • Improved secret scanning reliability in CI/CD pipeline with updated tooling.
  • Refined compliance audit checks for internal workflow references.

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 49 minutes and 26 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f44699f6-077d-485a-8285-62a0a974ce7a

📥 Commits

Reviewing files that changed from the base of the PR and between ed8ad7a and ba61bd7.

📒 Files selected for processing (1)

• scripts/compliance-audit.sh

📝 Walkthrough

Walkthrough

This PR replaces the manual gitleaks execution in the secret-scan CI job with the official pinned gitleaks/gitleaks-action and updates the compliance audit script to exempt internal reusable-workflow uses: references from SHA-pinning validation.

Changes

Secret Scanning and Compliance Audit

Layer / File(s)	Summary
secret-scan job refactor to pinned gitleaks action .github/workflows/ci.yml	Replaces inline gitleaks download and execution with the pinned gitleaks/gitleaks-action, adds security-events: write permission, enables full-history checkout (fetch-depth: 0), and configures the action with detect --source . --redact --verbose --exit-code 1 arguments and environment variables for GITHUB_TOKEN and GITLEAKS_LICENSE.
Compliance audit exemption for internal reusable workflows scripts/compliance-audit.sh	Extends the check_action_pinning function to skip validation on internal petry-projects/.github/.github/workflows/ reusable-workflow references, preventing them from being counted as unpinned actions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related issues

• #256 — These changes implement two compliance remediation items: adding a pinned secret-scan CI job and updating action pinning audit rules to exempt internal reusable workflows.

Possibly related PRs

• petry-projects/.github#12 — The compliance-audit.sh update directly extends the pinning-check logic originally introduced in this PR for the weekly audit script.
• petry-projects/.github#159 — Implements the same "exempt internal reusable workflow references from SHA pinning" policy now being applied in the audit exemption list.
• petry-projects/.github#87 — Centralizes reusable workflows using petry-projects/.github/.../workflows references, which this PR's exemption prevents from being flagged as unpinned.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR partially addresses linked issue #256. It implements the secret-scan job [Repository settings, Push Protection & Secret Scanning] and action pinning fixes [Action SHA Pinning, compliance-audit.sh], but omits critical work: repository settings enforcement [Repository settings], dependabot.yml addition [Dependabot Configuration], and other required workflows [Workflows].	Complete remaining remediations from issue #256: add dependabot.yml, pin remaining workflow actions, apply repository settings via apply-repo-settings.sh, and ensure all required workflows are present.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly references the audit findings that prompted the changes and accurately describes the pull request's primary purpose to address 2026-05-12 compliance audit findings.
Out of Scope Changes check	✅ Passed	All changes directly address the linked audit findings: secret-scan job addition, action pinning, compliance-audit.sh exemption pattern, and dependabot_security_updates enablement are all within the scope of issue #256 remediation.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-256-20260512-1812

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the scripts/compliance-audit.sh script to exempt internal reusable workflows from SHA-pinning requirements. The review feedback suggests anchoring the exclusion pattern to the 'uses:' key to prevent false negatives that could occur if the exclusion string appears within a comment on an unpinned line.

[gemini-code-assist]

The exclusion pattern for internal reusable workflows is not anchored to the uses: value. If this string appears in a comment on an unpinned action line (e.g., uses: actions/checkout@v4 # internal ref: petry-projects/.github/.github/workflows/), the line will be incorrectly excluded from the audit findings, leading to a false negative. It is safer to ensure the pattern follows the uses: key to accurately target the action path.

Suggested change

	unpinned=$(echo "$decoded" | grep -E '^\s*-?\s*uses:\s+[^#]*@' | grep -vE '@[0-9a-f]{40}' | grep -vE '(docker://|\.\/)' | grep -vE 'petry-projects/\.github/\.github/workflows/' || true)
	unpinned=$(echo "$decoded" | grep -E '^\s*-?\s*uses:\s+[^#]*@' | grep -vE '@[0-9a-f]{40}' | grep -vE 'uses:\s+(docker://|\.\/|petry-projects/\.github/\.github/workflows/)' || true)

[don-petry]

@petry-projects/org-leads — CI is green (all checks passing/skipped except CodeQL which is still running). This PR addresses the following .github repo findings from the 2026-05-12 compliance audit (#256):

• ✅ secret_scan_ci_job_present: Added gitleaks secret-scan job to ci.yml
• ✅ unpinned-actions-dependency-audit.yml: Pinned dtolnay/rust-toolchain@stable to SHA
• ✅ unpinned-actions-agent-shield.yml / claude.yml / dependabot-automerge.yml: Fixed in compliance audit script (exempt per ci-standards.md#action-pinning-policy)
• ✅ dependabot_security_updates: Enabled via API

Remaining items that require an admin PAT: secret_scanning_ai_detection, secret_scanning_non_provider_patterns, and check-suite auto-trigger preferences — run GH_TOKEN=<admin-pat> bash scripts/apply-repo-settings.sh .github.

[Copilot]

Pull request overview

This PR addresses the 2026-05-12 compliance audit findings for the .github repo by tightening action pinning, fixing a workflow pinning finding, and adding the required CI secret-scanning job.

Changes:

• Add a secret-scan CI job using gitleaks with full git history checkout.
• Pin dtolnay/rust-toolchain@stable to a commit SHA in dependency-audit.yml.
• Update scripts/compliance-audit.sh to exempt internal petry-projects/.github reusable workflow refs from SHA-pinning findings (per documented policy).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
scripts/compliance-audit.sh	Exempts internal .github reusable workflow references from the SHA-pinning audit check.
.github/workflows/dependency-audit.yml	Pins dtolnay/rust-toolchain to a commit SHA to satisfy action-pinning enforcement.
.github/workflows/ci.yml	Adds a secret-scan job using gitleaks with fetch-depth: 0 to satisfy secret-scan CI requirements.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Auto-rebase blocked — the base branch contains .github/workflows/ changes that require the workflows permission to merge into this branch, but the auto-rebase workflow's token does not have that permission.

Please rebase this branch manually:

git fetch origin
git rebase origin/main
git push --force-with-lease

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[donpetry-bot]

Superseded by automated re-review at d41715899a03f3bf0f7a3a166a50f1464a02e600 — click to expand prior review.

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — could not complete automatically

Two issues prevented automated resolution:

---

Issue 1: Git commands blocked (allowedTools bug)

The claude-rebase workflow uses --allowedTools "Bash(git*:*)" but this pattern does not match actual git commands because they never contain a : character. Commands git config, git fetch, git rebase, and git push all required user approval and could not proceed in an automated context.

Fix needed in .github/workflows/claude-code-reusable.yml: change Bash(git*:*) to Bash(git *) in the claude-rebase job's claude_args.

---

Issue 2: Application-code conflict in ci.yml

Even if git commands were available, the conflict in .github/workflows/ci.yml requires human judgment. Both PR #257 and the later-merged PR #277 (6f46503) added a secret-scan job, but with different implementations:

• PR branch (this PR): uses gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 with GITLEAKS_LICENSE secret and security-events: write permission
• main (from PR fix(ci): secret-scan job + dtolnay SHA pin (.github repo — compliance #276) #277): manual binary install with SHA checksum verification, .gitleaks.toml config, no extra permission or secret needed

This is an application-logic conflict (not just a pin-version difference), which must be resolved by a human per rebase policy.

Recommendation: the main version (PR #277) is the more mature implementation — drop the gitleaks-action approach from this PR and keep main's version.

---

Manual resolution steps

git fetch origin
git rebase origin/main
# Conflict in .github/workflows/ci.yml — two implementations of the secret-scan job
# Accept main's version (keeps the direct binary install approach from PR #277):
git checkout --ours -- .github/workflows/ci.yml
git add .github/workflows/ci.yml
git rebase --continue
git push --force-with-lease

Key decision: keep the main branch's secret-scan implementation (direct gitleaks binary install with SHA verification) and discard the gitleaks-action approach from this PR, since PR #277 already merged the better fix to main.

[don-petry]

Auto-rebase: Manual Resolution Required

The auto-rebase workflow cannot automatically resolve the conflicts on this PR. The conflicts involve structural changes to workflow YAML files — not simple SHA/version pin updates — which require human judgment.

What's Conflicting

The PR's unique commits (fixing 2026-05-12 compliance findings) modified these files:

File	PR Change	Conflict Source
.github/workflows/ci.yml	Added secret-scan job using gitleaks/gitleaks-action	Main later replaced this with a direct binary install approach
.github/workflows/claude-code-reusable.yml	Merged bot review triggers into main claude job; removed separate claude-fix-review-comments job	Main has evolved these jobs differently since the PR was opened
scripts/compliance-audit.sh	Compliance script changes	Potential overlap with main's changes
standards/ci-standards.md	Standards doc updates	Potential overlap with main's changes

The base branch (main) has moved from 575df99 to 761dd4a since the last merge-into-PR. GitHub reports rebaseable: false.

Manual Resolution Steps

git fetch origin
git checkout claude/issue-256-20260512-1812
git rebase origin/main
# Resolve conflicts in the files listed above
# For ci.yml: reconcile the secret-scan job approach (binary install vs. action)
# For claude-code-reusable.yml: reconcile the bot trigger logic
git add .github/workflows/ci.yml
git add .github/workflows/claude-code-reusable.yml
git add scripts/compliance-audit.sh
git add standards/ci-standards.md
git rebase --continue
git push --force-with-lease

Additional Notes

• The environment also lacked git write permissions (git config, fetch, rebase all required interactive approval), preventing the automated rebase from running.
• This PR has been updated via merge commits multiple times; consider whether a squash-and-rebase might be cleaner.

/cc @petry-projects/org-leads

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-Rebase: Failed — Permission Error

The automated rebase agent was unable to complete the rebase for this PR because the required git operations (git fetch, git rebase, git push) are blocked by the current Claude Code permission configuration in this environment.

What needs to happen manually

git fetch origin
git checkout claude/issue-256-20260512-1812
git rebase origin/main
# If conflicts arise in .github/workflows/*.yml (action pin conflicts):
#   - Compare pinned SHAs/tags on both sides
#   - Keep the side with the newer version
#   - git add <resolved-file>
#   - git rebase --continue
# If conflicts arise in any other file:
#   - Resolve manually based on intent of both changes
#   - git add <resolved-file>
#   - git rebase --continue
git push --force-with-lease

Files that differ between this branch and main

• .github/workflows/auto-rebase-reusable.yml
• .github/workflows/ci.yml
• .github/workflows/claude-code-reusable.yml
• .gitleaks.toml
• scripts/compliance-audit.sh
• standards/ci-standards.md
• standards/github-settings.md
• standards/workflows/dev-lead.yml

Root cause

The Claude Code session running this agent does not have git fetch, git rebase, or git push in its permission allowlist. A project maintainer can fix this by adding the following to .claude/settings.json:

{
  "permissions": {
    "allow": [
      "Bash(git fetch *)",
      "Bash(git rebase *)",
      "Bash(git push --force-with-lease)",
      "Bash(git config *)"
    ]
  }
}

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase: conflict could not be resolved automatically

The auto-rebase agent attempted to rebase claude/issue-256-20260512-1812 onto main but encountered an application-logic conflict that requires human judgment.

Conflict details

File: .github/workflows/ci.yml

Both this PR and main independently added a secret-scan job at the same location (after the agent-security job), but with fundamentally different implementations:

	This PR (theirs)	main (ours — PR #277)
Approach	gitleaks/gitleaks-action action	Direct binary download
Permissions	contents: read + security-events: write	contents: read only
Config	No .gitleaks.toml	Uses .gitleaks.toml (added by main)
License	Requires GITLEAKS_LICENSE secret	No license required
Merged date	2026-05-12	2026-05-13 (newer)

This is not a simple action-pin version conflict — the entire job structure differs. A human must decide which implementation to keep (most likely main's direct-download approach, since it was merged later and avoids a license dependency).

Manual resolution steps

git fetch origin
git checkout claude/issue-256-20260512-1812
git rebase origin/main
# Git will stop at the conflict in .github/workflows/ci.yml
# Edit the file to resolve the secret-scan job conflict
# Recommended: keep main's direct-download implementation
git add .github/workflows/ci.yml
git rebase --continue
git push --force-with-lease

Recommended resolution for ci.yml

Keep the secret-scan job from main (direct download, no license required):

  secret-scan:
    name: Secret scan (gitleaks)
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout (full history)
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

      - name: Install gitleaks
        env:
          GITLEAKS_VERSION: "8.30.1"
        run: |
          # Checksum kept in the shell run block (not as a YAML env var) to avoid
          # SonarCloud flagging hex strings in env: sections as Security Hotspots.
          gitleaks_checksum="551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb"
          tarball="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
          url="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/${tarball}"
          install_dir="${RUNNER_TEMP}/gitleaks-bin"
          mkdir -p "${install_dir}"
          wget -q "${url}" -O /tmp/gitleaks.tar.gz
          echo "${gitleaks_checksum}  /tmp/gitleaks.tar.gz" | sha256sum -c
          tar -xzf /tmp/gitleaks.tar.gz -C "${install_dir}" gitleaks
          chmod +x "${install_dir}/gitleaks"
          echo "${install_dir}" >> "${GITHUB_PATH}"

      - name: Run gitleaks
        run: gitleaks detect --source . --config .gitleaks.toml --redact --verbose --exit-code 1

Note: Main's approach is preferred because it was merged later (2026-05-13 vs 2026-05-12), does not require a GITLEAKS_LICENSE secret, and uses the .gitleaks.toml config file that main added alongside it.

[donpetry-bot]

Superseded by automated re-review at 9cf20812b35f89005dca9e06d405169b5b99a755 — click to expand prior review.

Review — fix requested (cycle 2/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[don-petry]

@dev-lead - please fix this PR

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push