fix(ci): pin claude-code-reusable workflow to SHA

[don-petry]

Summary

• Pin .github/workflows/claude.yml reusable workflow reference from tag @v1 to commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d per the org action-pinning policy
• Sync file with org template: add missing check_run: [completed] trigger

Change:
```yaml

Before

uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@v1

After

uses: petry-projects/.github@ee22b42 # v1
```

Closes #155

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 59 minutes and 26 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: dd806ffc-ae55-4601-9518-93dad6941d6a

📥 Commits

Reviewing files that changed from the base of the PR and between 9561715 and e6f8ee7.

📒 Files selected for processing (1)

• .github/workflows/claude.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-155-20260420-0033

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

Self-review complete — the change is minimal and correct:

• SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d verified as the commit SHA for the v1 tag via gh api repos/petry-projects/.github/git/refs/tags/v1
• # v1 comment retained for human readability
• check_run: [completed] trigger added to sync with org template

@don-petry — you are listed in CODEOWNERS as the code owner for this repository. Please review and merge when ready.

[Copilot]

Pull request overview

Pins the org-level Claude Code reusable workflow reference to an immutable commit SHA to satisfy action-pinning compliance, and syncs the local thin-caller workflow triggers with the org template.

Changes:

• Pin petry-projects/.github/.github/workflows/claude-code-reusable.yml from @v1 to a commit SHA.
• Add missing check_run: [completed] trigger to align with the org template.

[Copilot]

The file header says you “MUST NOT change” the trigger events or the uses: line, but this PR necessarily updates both (pinning to a SHA and adding check_run). To avoid confusing future maintainers (and to align with the org action-pinning policy), please update the header guidance to explicitly allow syncing these fields from the upstream template / updating the pinned SHA.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[donpetry-bot]

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

Automated review — NEEDS HUMAN REVIEW

Risk: LOW
Reviewed commit: e6f8ee793ce091d4ea1528dec0a0545fc4dc8074
Cascade: triage → deep (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7)

Summary

The change is a correct, minimal SHA-pin of a reusable workflow reference — a security improvement per org policy — with all CI gates green and SonarQube passing. However, the PR cannot be merged: it has an unresolved merge conflict (DIRTY state since 2026-05-16) and still requires approval from the org-leads team.

Findings

• major: Branch has an unresolved merge conflict with main (mergeStateStatus=DIRTY). Auto-rebase failed on 2026-05-16. The PR cannot be merged until the author resolves the conflict and pushes.
• major: reviewDecision=REVIEW_REQUIRED: the org-leads team review has been requested but not yet granted. Formal approval is needed before merge.
• info: Copilot flagged that the comment header on lines 9-11 says 'You MAY change: nothing in this file in normal use' and 'You MUST NOT change: ... the uses: line', which contradicts this PR's legitimate SHA-pin update. Claude suggested an updated header but could not apply it due to permissions. The author has not applied the suggested fix yet.
• info: SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d was verified by the author against the v1 tag via gh api. Pinning to an immutable SHA prevents supply-chain risk from mutable tag reassignment. Change is correct and intentional.

---

Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review.

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[don-petry]

@dev-lead - please fix this PR

[don-petry]

Closing as superseded and incorrect.

Why this PR is wrong: Per ci-standards.md#action-pinning-policy, internal reusable workflow refs (petry-projects/.github/...) are explicitly exempt from SHA-pinning. The standard says: "Do not SHA-pin internal reusable workflow refs."

Why this PR is obsolete: The underlying issue was resolved by PR #277, which removed claude.yml entirely (deprecated 2026-05, replaced by dev-lead.yml). The file this PR modifies no longer exists on main.

The compliance finding will auto-close on the next weekly audit run now that claude.yml no longer exists in this repo.