feat: implement issue #328 — Compliance: non-stub-agent-shield.yml

[don-petry]

Closes #328

Implemented by dev-lead agent. Please review.

[coderabbitai]

Warning

Review limit reached

@github-actions[bot], we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 58 minutes and 34 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 271dc489-237a-48be-b922-8b44faec06a2

📥 Commits

Reviewing files that changed from the base of the PR and between b6c4f09 and 25a13a1.

📒 Files selected for processing (3)

• .github/workflows/agent-shield.yml
• .github/workflows/ci-failure-analyst.yml
• .gitignore

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev-lead/issue-328-20260526-1718

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request adds a duplicate entry .dev-lead/ to the .gitignore file. The review feedback correctly points out that this entry is redundant and should be removed.

[gemini-code-assist]

The entry .dev-lead/ is already present in the .gitignore file. This duplicate entry is redundant and should be removed.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f4402f3f4a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Pin reusable workflow to immutable commit SHA

Reference @v1 is a mutable tag, so this repository can start executing different CI logic without any change in this repo whenever the upstream tag is moved. For a security/compliance workflow, that removes reproducibility and weakens supply-chain guarantees compared with the previous pinned SHA; use an immutable commit ref to keep scans deterministic and auditable.

Useful? React with 👍 / 👎.

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

This PR brings the repository into compliance with issue #328 by updating the AgentShield workflow to use the org-standard @v1 ref for the centralized reusable workflow.

Changes:

• Update .github/workflows/agent-shield.yml to reference petry-projects/.github/.../agent-shield-reusable.yml@v1.
• (Unrelated) Adds a duplicated .dev-lead/ entry in .gitignore (should be deduped).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/agent-shield.yml	Pins AgentShield reusable workflow reference to the org-standard @v1 tag for compliance.
.gitignore	Adds a duplicate ignore entry for .dev-lead/ (recommended to keep only one).

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 25a13a1c2b28f251a04d31b94f4e5f194b6e8c41
Review mode: triage-approved (single reviewer)

Summary

Compliance PR addressing issue #328 by updating agent-shield.yml to reference the org-standard @v1 tag for the centralized reusable workflow. Diff is tiny (+5/-4) across 3 files: the substantive workflow ref change, cosmetic prettier/eslint auto-fixes in ci-failure-analyst.yml, and a (harmless) duplicate .gitignore entry. CodeQL checks pass and the change is first-party and explicitly mandated by the linked compliance issue.

Linked issue analysis

Issue #328 is a compliance-audit finding requiring agent-shield.yml to delegate to petry-projects/.github/.github/workflows/agent-shield-reusable.yml@v1 per the org centralization standard. The PR replaces the SHA pin with @v1, which is exactly the canonical stub the standard requires. Substantively addressed.

Findings

.github/workflows/agent-shield.yml — Switches a pinned SHA to @v1. For third-party actions this would be a security regression, but the target is a first-party reusable workflow within the same org (petry-projects/.github) and the move is mandated by the org centralization standard referenced in #328. Acceptable.

.github/workflows/ci-failure-analyst.yml — Pure formatting churn from the prettier/eslint auto-fix commit (double→single quotes, inline-comment whitespace). No semantic change. Fine.

.gitignore — Adds a duplicate .dev-lead/ line. Several reviewers (gemini, copilot) flagged this. Functionally harmless — git deduplicates — but worth tidying in a follow-up.

SonarQube — Quality gate failed with 1 Security Hotspot. Hotspots are advisory ("code to review"), not confirmed vulnerabilities; the most likely trigger is the SHA→tag change, which is the deliberate org-standard outcome. Reviewed and accepted.

CI status

• CodeQL (actions / javascript-typescript / python / aggregate): SUCCESS
• CodeRabbit: SUCCESS (review skipped — rate limit; not blocking)
• SonarQube: failed quality gate due to 1 advisory Security Hotspot (see Findings)
• mergeStateStatus: BLOCKED is due to REVIEW_REQUIRED, not failing checks

---

Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push