ci: pin dependency-audit reusable workflow to SHA (closes #87)

[don-petry]

Summary

• Pin dependency-audit-reusable.yml reusable workflow reference from @v1 to its full commit SHA to satisfy the org-level action-pinning policy.

Change

# Before
uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1

# After
uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1

SHA was resolved via gh api repos/petry-projects/.github/git/refs/tags/v1.

The # v1 comment is retained for human readability.

Closes #87

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configuration to pin the dependency audit workflow to a specific version for improved stability and reproducibility.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fcf13dd8-af28-4034-b600-251f9292ade3

📥 Commits

Reviewing files that changed from the base of the PR and between f9d9937 and 7808f77.

📒 Files selected for processing (1)

• .github/workflows/dependency-audit.yml

---

📝 Walkthrough

Walkthrough

This PR pins a reusable GitHub Actions workflow reference in .github/workflows/dependency-audit.yml from a floating version tag (@v1) to a specific commit SHA (@ee22b427cbce9ecadcf2b436acb57c3adf0cb63d), resolving a compliance finding for unpinned action dependencies.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/dependency-audit.yml	Pinned reusable workflow reference from floating tag @v1 to specific commit SHA for action pinning compliance.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: pinning the dependency-audit reusable workflow to a commit SHA, and directly references the closed issue #87.
Linked Issues check	✅ Passed	The pull request successfully addresses issue #87 by pinning the unpinned action reference to a commit SHA, bringing the workflow into compliance with the organization's action-pinning policy.
Out of Scope Changes check	✅ Passed	The pull request contains only the minimal required change to address the compliance issue: updating the workflow reference from a tag to a commit SHA.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-87-20260419-1833

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@don-petry — this PR pins the dependency-audit-reusable.yml reusable workflow to its full commit SHA to resolve the action-pinning compliance finding in issue #87. Single-line change, SHA verified via gh api. Ready for your review and merge.

[Copilot]

Pull request overview

Pins the dependency-audit reusable workflow callsite to an immutable commit SHA to comply with the org action-pinning policy (remediating issue #87).

Changes:

• Update .github/workflows/dependency-audit.yml to reference petry-projects/.github reusable workflow by full commit SHA instead of @v1.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The header comment says editors "MUST NOT change ... the uses: line", but this workflow now requires updating the uses: ref (SHA) over time to stay current/compliant. Consider tweaking the guidance to something precise like “do not change the workflow path/job name; only update the pinned ref when bumping versions,” to avoid misleading future edits.

[don-petry]

Superseded by automated re-review at 95fe0186e2f921be374ca2aa39f26140289de440 — click to expand prior review.

Automated review — APPROVED

Risk: LOW
Reviewed commit: 7808f77c9924c942e00b769f68bc97bb43467502
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

Single-line change pinning a reusable workflow reference from a floating tag (@v1) to a full commit SHA, satisfying the org-level action-pinning policy and closing issue #87. All CI checks pass (CodeQL, SonarCloud, AgentShield, CodeRabbit); no new issues or security hotspots detected.

Findings

Info

• [info] .github/workflows/dependency-audit.yml:33 — SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d was resolved per the PR description via gh api repos/petry-projects/.github/git/refs/tags/v1. Cannot independently verify the SHA without access to the upstream repo, but the derivation is documented and auditable.

CI status

All checks green (CodeQL, SonarCloud, AgentShield, CodeRabbit). Reason codes: ci-green, single-line-change, security-improvement, issue-addressed.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[petry-projects-pr-review-agent]

Automated approval after review posting fix

[petry-projects-pr-review-agent]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: a6a83ffb7b99f604dd608a6bb643f9fa1ac9fe0e
Review mode: triage-approved (single reviewer)

Summary

PR #104 adds a single idempotent bash script (.github/scripts/apply-repo-settings.sh, 48 lines) that enforces org-standard repository settings via gh api -X PATCH. This directly resolves compliance issue #90 (delete_branch_on_merge must be true). No production code is changed — the script is a manual admin tool requiring an explicit GH_TOKEN with admin scope at runtime. No substantive code changes since the prior cascade review (only merge commits and a CI retrigger).

Linked issue analysis

• Closes #90 — Compliance audit flagged delete_branch_on_merge as null (expected true). The script sets delete_branch_on_merge=true along with all other org-standard defaults. The setting was also applied directly via the API per the PR description. Issue is substantively addressed.

Findings

No blocking issues. Minor observations (informational only, not blocking):

• [info] -F (typed field) is used for string enum values like squash_merge_commit_title=PR_TITLE. The gh CLI handles this correctly, though -f (raw string) would be slightly more self-documenting for non-boolean/non-numeric values.
• [info] REPO is hardcoded to petry-projects/markets. This is intentional and appropriate for a compliance-enforcement script scoped to this repository.

CI status

All checks passed:

• ✅ CodeQL (actions) — SUCCESS
• ✅ SonarCloud — SUCCESS (0 new issues, 0 security hotspots)
• ✅ AgentShield — SUCCESS
• ✅ CodeRabbit — SUCCESS
• ✅ Dependency audit — ecosystem detection SUCCESS, language-specific audits SKIPPED (no applicable ecosystems)
• ✅ CI — ecosystem detection SUCCESS, Backend/Frontend SKIPPED (no changes to those layers)

---

Reviewed automatically by the don-petry PR-review agent (single-reviewer, triage-approved). Reply with @don-petry if you need a human.

[petry-projects-pr-review-agent]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: e0886512c9fdfd51836fcf070403a0d6b1fbc7bd
Review mode: triage-approved (single reviewer)

Summary

Single-file GitHub Actions workflow change adopting the org-standard dependabot-rebase caller stub. Pins the reusable workflow to SHA 3c6335c0 (replacing mutable @v1 tag), replaces blanket secrets: inherit with explicit APP_ID/APP_PRIVATE_KEY, adds workflow_dispatch trigger, and escalates job permissions from read to write (justified by rebase and re-approve operations). Net security posture is improved.

Linked issue analysis

No linked issues. PR description states it supersedes prior SHA-pinning and dispatch PRs — this is a standards-adoption change with self-contained motivation.

Findings

No blocking issues.

Positive changes:

• Reusable workflow ref changed from mutable tag @v1 to SHA-pinned @3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1 — prevents tag-hijack supply-chain risk.
• secrets: inherit (passes all repo secrets) replaced with explicit APP_ID / APP_PRIVATE_KEY — reduces secret surface area.

Informational:

• Permission escalation from contents: read / pull-requests: read to contents: write / pull-requests: write — necessary for the reusable workflow to update branches and re-approve PRs post-rebase. Inline comments document the rationale. Blast radius is limited by the SHA-pinned reusable ref.
• workflow_dispatch trigger added — allows manual flush of the Dependabot PR queue. Low risk.

CI status

All checks passed:

• ✅ CodeQL (actions) — SUCCESS
• ✅ SonarCloud — SUCCESS (0 new issues, 0 security hotspots)
• ✅ AgentShield — SUCCESS
• ✅ CodeRabbit — SUCCESS
• ✅ Dependency audit — ecosystem detection SUCCESS
• ✅ CI — ecosystem detection SUCCESS

---

Reviewed automatically by the don-petry PR-review agent (single-reviewer mode: opus 4.6). Reply with @don-petry if you need a human.

Superseded by automated re-review at 95fe018.

[petry-projects-pr-review-agent]

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the don-petry PR-review cascade.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

@dev-lead - please fix this PR

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push