fix(ci): pin auto-rebase reusable workflow to SHA

[don-petry]

Summary

• Pins petry-projects/.github/.github/workflows/auto-rebase-reusable.yml from @v1 to its resolved commit SHA 126c1441ee9cf040f2ce3ef0eda85d459b82f8e9
• Retains # v1 comment so the human-readable version is still visible
• Brings the repository into compliance with the org-wide action-pinning policy

Closes #144

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configuration to pin a reusable workflow dependency to a specific commit hash instead of a version reference, ensuring consistent workflow execution.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 16b1ac5a-91d5-4625-a3b2-ea3eb332c86c

📥 Commits

Reviewing files that changed from the base of the PR and between 2ecfdb3 and 4c23597.

📒 Files selected for processing (1)

• .github/workflows/auto-rebase.yml

---

📝 Walkthrough

Walkthrough

Updates .github/workflows/auto-rebase.yml to pin the reusable workflow reference to a specific commit SHA instead of a version tag, addressing action-pinning compliance requirements.

Changes

Cohort / File(s)	Summary
Workflow Action Pinning .github/workflows/auto-rebase.yml	Pins reusable workflow reference from @v1 tag to commit SHA @126c1441ee9cf040f2ce3ef0eda85d459b82f8e9, retaining the version comment for reference clarity.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related issues

• Compliance: unpinned-actions-auto-rebase.yml #144 — Directly addresses the unpinned-actions compliance finding for this specific workflow file.
• Compliance: unpinned-actions-claude.yml bmad-bgreat-suite#84 — Related change applying the same action-pinning pattern to a different repository's workflow.
• Compliance: unpinned-actions-auto-rebase.yml google-app-scripts#237 — Related change pinning a reusable workflow reference to resolve the same action-pinning compliance requirement.
• Compliance: unpinned-actions-auto-rebase.yml broodly#167 — Related change addressing unpinned-action compliance by pinning to a commit SHA.
• Compliance: unpinned-actions-claude.yml markets#84 — Related change applying action-pinning standards to a reusable workflow reference.
• Compliance: unpinned-actions-claude.yml #86 — Related change pinning a reusable workflow to address action-pinning compliance.
• Compliance: unpinned-actions-claude.yml broodly#100 — Related change addressing GitHub workflow action-pinning compliance across multiple repositories.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: pinning the auto-rebase reusable workflow from @v1 to a fixed commit SHA.
Linked Issues check	✅ Passed	The PR successfully addresses issue #144 by pinning the auto-rebase reusable workflow to commit SHA 126c1441ee9cf040f2ce3ef0eda85d459b82f8e9, bringing the repository into compliance with the org-wide action-pinning policy.
Out of Scope Changes check	✅ Passed	All changes are scoped to the objective: pinning the reusable workflow reference and retaining the human-readable comment, with only a trailing newline adjustment.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-144-20260501-1332

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

Self-review complete — the change looks correct:

• SHA 126c1441ee9cf040f2ce3ef0eda85d459b82f8e9 is the resolved commit for the v1 tag (verified via GitHub API)
• Only the uses: line was modified; the trigger event, concurrency group, and job-level permissions: block are all unchanged (as required by the file's AGENTS header)
• # v1 comment retained for human readability

Waiting for CI. @don-petry — CODEOWNERS designates you as reviewer. Please review and merge when checks pass.

[Copilot]

Pull request overview

Pins the org-level reusable workflow reference in the repo’s auto-rebase caller workflow to a specific commit SHA to satisfy the action-pinning compliance requirement.

Changes:

• Update .github/workflows/auto-rebase.yml to use a commit SHA instead of @v1 for petry-projects/.github/.github/workflows/auto-rebase-reusable.yml.
• Preserve the # v1 inline comment for human-readable version context.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

@dev-lead - please fix this PR

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push