fix: pin pr-review-mention reusable to SHA d3d768d

[don-petry]

Summary

Pin .github/workflows/pr-review-mention.yml to the correct SHA instead of @v1.

Root cause: The v1 lightweight tag in petry-projects/.github pointed to commit 0cb4bba1 which predates the addition of pr-review-mention-reusable.yml (added in PR #237 on 2026-05-11). This caused a parse-time error in all caller repos:

error parsing called workflow: failed to fetch workflow: workflow was not found.

Fix: Pin to d3d768dabb7f28cc63283cdfe48630da53700e50 (latest main commit containing the reusable workflow).

The v1 tag has been force-moved to d3d768d and a new v2 tag cut at the same SHA.

Ref: petry-projects/.github#267

Generated with Claude Code

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 54 minutes and 24 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6e5d2706-a639-48e8-b1a8-97e31065eead

📥 Commits

Reviewing files that changed from the base of the PR and between e6e0523 and 097fbd2.

📒 Files selected for processing (1)

• .github/workflows/pr-review-mention.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/pin-pr-review-mention-sha

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

This PR updates the PR review mention workflow caller to reference the reusable workflow at a specific commit SHA, avoiding failures caused by an unavailable reusable workflow at the prior @v1 ref.

Changes:

• Pins pr-review-mention-reusable.yml to commit d3d768dabb7f28cc63283cdfe48630da53700e50.
• Adds maintenance guidance for updating the shared template and fanout PRs when publishing a new SHA.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

@donpetry-bot

[don-petry]

@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes.

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 097fbd26890074e97b12230ea6d69656868a8644
Review mode: triage-approved (single reviewer)

Summary

Tiny one-file workflow fix that replaces the broken @v1 tag reference for the org-level pr-review-mention-reusable.yml with a pinned commit SHA (d3d768d), and adds a maintainer comment about fanning out future SHA bumps. The previous @v1 tag pointed to a commit that predated the existence of the reusable workflow, causing parse-time workflow was not found errors in caller repos. SHA pinning is also the recommended GitHub Actions security posture (immutable reference).

Linked issue analysis

No closes/fixes issue is attached. The PR body references petry-projects/.github#267 as context for why the @v1 tag was broken; this is informational, not a closure link, and that is appropriate for a workflow hotfix in a caller repo.

Findings

• Change is minimal and correct. Diff is +3/−1 in .github/workflows/pr-review-mention.yml: swap @v1 → @d3d768dabb7f28cc63283cdfe48630da53700e50 # main on the uses: line, plus a comment line.
• Security posture improves. Pinning a reusable workflow to an immutable commit SHA is the GitHub-recommended practice over floating tags, and matches the project's other hardening patterns.
• No supply-chain concern. The pinned reusable lives in petry-projects/.github, the same org; the SHA can be verified against that repo's main.
• No secrets, credentials, migrations, or runtime code touched.
• Copilot reviewer left a non-blocking summary comment with no requested changes.

CI status

All required checks passing:

• CodeQL (actions, python): SUCCESS
• SonarCloud / SonarQube Cloud: Quality Gate passed (0 new issues, 0 hotspots)
• gitleaks (secret scan): SUCCESS
• AgentShield: SUCCESS
• Claude Code: SUCCESS
• CodeRabbit: SUCCESS (rate-limited summary only; no findings)
• Dependency audit / Dependabot / pr-review-mention handlers: SKIPPED (not applicable to a workflow-only change)

---

Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.