fix: pin dependabot-automerge reusable workflow to SHA

[don-petry]

Summary

Pin the dependabot-automerge-reusable.yml reference from the floating @v1 tag to its resolved commit SHA to satisfy the action-pinning policy.

Before:

uses: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@v1

After:

uses: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1

The SHA was verified via gh api repos/petry-projects/.github/git/refs/tags/v1 and confirmed as a direct commit reference (not an annotated tag object).

Closes #85

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow configuration to use a specific pinned version for improved stability and reliability.

[coderabbitai]

📝 Walkthrough

Walkthrough

A GitHub Actions workflow configuration is updated to pin a reusable workflow reference from a version tag (@v1) to a specific commit SHA, addressing a compliance requirement for action pinning.

Changes

Workflow Action Pinning

Layer / File(s)	Summary
Configuration Update .github/workflows/dependabot-automerge.yml	Reusable workflow reference in jobs.dependabot-automerge.uses pinned from petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@v1 to commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• Compliance: unpinned-actions-dependabot-automerge.yml #85: Compliance: unpinned-actions-dependabot-automerge.yml — This PR directly resolves the compliance finding by pinning the unpinned reusable workflow reference to a specific commit SHA.

Possibly related PRs

The provided related PRs are located in different repositories (petry-projects/markets) and therefore lack a direct code-level connection within this repository's codebase, so no related PRs within this repo context are identified.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: pinning a GitHub Actions reusable workflow reference from a tag to a specific commit SHA, which directly addresses the action-pinning compliance requirement.
Linked Issues check	✅ Passed	The pull request successfully fulfills issue #85 by replacing the unpinned @v1 tag with the verified commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d), bringing the workflow into compliance with the action-pinning policy.
Out of Scope Changes check	✅ Passed	The changes are minimal and directly scoped to the compliance requirement; only the workflow reference was updated from @v1 to a pinned SHA, with no unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-85-20260419-1933

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

Self-review complete — no issues found. The change is a minimal one-line update pinning the floating @v1 tag to its resolved commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d, exactly as required by the action-pinning policy.

@don-petry as CODEOWNER, please review and merge when CI is green.

[Copilot]

Pull request overview

Pins the Dependabot automerge reusable workflow reference to an immutable commit SHA to comply with the org action-pinning policy (closes #85).

Changes:

• Updated .github/workflows/dependabot-automerge.yml to use a resolved commit SHA instead of the floating @v1 tag for the reusable workflow.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Superseded by automated re-review at 27fe4fa1b5aba8fc728dc1f471c0ed4555889a80 — click to expand prior review.

Automated review — APPROVED

Risk: MEDIUM
Reviewed commit: 4fdb3eae7b9a951772b5e447ce11e2c7dd2bc6d3
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

Single-line change in a GitHub Actions workflow pinning a reusable workflow reference from a floating @v1 tag to its resolved commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d. The SHA was independently verified against the v1 tag in petry-projects/.github and confirmed correct (direct commit, not annotated object). All CI checks passed (AgentShield, CodeQL, SonarCloud, CodeRabbit) and the change closes issue #85 per the org's action-pinning policy.

Findings

Info

• .github/workflows/dependabot-automerge.yml:39 — Change replaces mutable floating tag @v1 with immutable SHA pin — this is a security improvement, not a risk. SHA independently verified: ee22b427cbce9ecadcf2b436acb57c3adf0cb63d matches refs/tags/v1 in petry-projects/.github (type: commit, not annotated tag).
• (triage-failure) Triage tier escalated with signal triage-output-invalid (tier 1 failure, not a signal about the PR itself). Deep review found no issues warranting further escalation.

CI status

All CI checks passed: AgentShield (SUCCESS), CodeQL (SUCCESS), SonarCloud (SUCCESS, 0 issues, 0 security hotspots), CodeRabbit (SUCCESS). Backend/Frontend CI and dependency audit correctly skipped (no source or dependency changes).

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[petry-projects-pr-review-agent]

Automated approval after review posting fix

[petry-projects-pr-review-agent]

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[petry-projects-pr-review-agent]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: a6a83ffb7b99f604dd608a6bb643f9fa1ac9fe0e
Review mode: triage-approved (single reviewer)

Summary

PR #104 adds a single idempotent bash script (.github/scripts/apply-repo-settings.sh, 48 lines) that enforces org-standard repository settings via gh api -X PATCH. This directly resolves compliance issue #90 (delete_branch_on_merge must be true). No production code is changed — the script is a manual admin tool requiring an explicit GH_TOKEN with admin scope at runtime. No substantive code changes since the prior cascade review (only merge commits and a CI retrigger).

Linked issue analysis

• Closes #90 — Compliance audit flagged delete_branch_on_merge as null (expected true). The script sets delete_branch_on_merge=true along with all other org-standard defaults. The setting was also applied directly via the API per the PR description. Issue is substantively addressed.

Findings

No blocking issues. Minor observations (informational only, not blocking):

• [info] -F (typed field) is used for string enum values like squash_merge_commit_title=PR_TITLE. The gh CLI handles this correctly, though -f (raw string) would be slightly more self-documenting for non-boolean/non-numeric values.
• [info] REPO is hardcoded to petry-projects/markets. This is intentional and appropriate for a compliance-enforcement script scoped to this repository.

CI status

All checks passed:

• ✅ CodeQL (actions) — SUCCESS
• ✅ SonarCloud — SUCCESS (0 new issues, 0 security hotspots)
• ✅ AgentShield — SUCCESS
• ✅ CodeRabbit — SUCCESS
• ✅ Dependency audit — ecosystem detection SUCCESS, language-specific audits SKIPPED (no applicable ecosystems)
• ✅ CI — ecosystem detection SUCCESS, Backend/Frontend SKIPPED (no changes to those layers)

---

Reviewed automatically by the don-petry PR-review agent (single-reviewer, triage-approved). Reply with @don-petry if you need a human.

[petry-projects-pr-review-agent]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: e0886512c9fdfd51836fcf070403a0d6b1fbc7bd
Review mode: triage-approved (single reviewer)

Summary

Single-file GitHub Actions workflow change adopting the org-standard dependabot-rebase caller stub. Pins the reusable workflow to SHA 3c6335c0 (replacing mutable @v1 tag), replaces blanket secrets: inherit with explicit APP_ID/APP_PRIVATE_KEY, adds workflow_dispatch trigger, and escalates job permissions from read to write (justified by rebase and re-approve operations). Net security posture is improved.

Linked issue analysis

No linked issues. PR description states it supersedes prior SHA-pinning and dispatch PRs — this is a standards-adoption change with self-contained motivation.

Findings

No blocking issues.

Positive changes:

• Reusable workflow ref changed from mutable tag @v1 to SHA-pinned @3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1 — prevents tag-hijack supply-chain risk.
• secrets: inherit (passes all repo secrets) replaced with explicit APP_ID / APP_PRIVATE_KEY — reduces secret surface area.

Informational:

• Permission escalation from contents: read / pull-requests: read to contents: write / pull-requests: write — necessary for the reusable workflow to update branches and re-approve PRs post-rebase. Inline comments document the rationale. Blast radius is limited by the SHA-pinned reusable ref.
• workflow_dispatch trigger added — allows manual flush of the Dependabot PR queue. Low risk.

CI status

All checks passed:

• ✅ CodeQL (actions) — SUCCESS
• ✅ SonarCloud — SUCCESS (0 new issues, 0 security hotspots)
• ✅ AgentShield — SUCCESS
• ✅ CodeRabbit — SUCCESS
• ✅ Dependency audit — ecosystem detection SUCCESS
• ✅ CI — ecosystem detection SUCCESS

---

Reviewed automatically by the don-petry PR-review agent (single-reviewer mode: opus 4.6). Reply with @don-petry if you need a human.

Superseded by automated re-review at 27fe4fa.

[petry-projects-pr-review-agent]

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the don-petry PR-review cascade.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/dependabot-automerge.yml (1)

38-38: LGTM — correct SHA format, # v1 comment, and no prohibited fields changed.

Pinning an action to a full-length commit SHA is the only way to use an action as an immutable release. The 40-character SHA with the inline # v1 comment follows the recommended practice of tying the commit SHA to a tag version and annotating it in a comment, which helps teams track versions and makes it easier to identify outdated actions.

Heads-up on automated update coverage: Dependabot only creates alerts for vulnerable actions that use semantic versioning and will not create alerts for actions pinned to SHA values. Consider adding a Renovate or Dependabot github-actions version-update entry so the SHA can be bumped automatically when a new v1 patch is released upstream.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-automerge.yml at line 38, The pinned action
line using the full 40-character SHA plus the inline "# v1" comment is
correct—leave the uses reference
"petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@ee22b427cbce9ecadcf2b436acb57c3adf0cb63d
# v1" as-is; to enable automated SHA bumps, add a github-actions updater config
(Renovate or a Dependabot `version-update` entry) that targets that exact action
reference so the SHA can be automatically updated when new v1 patch releases are
published upstream.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-automerge.yml:
- Line 38: The pinned SHA after the action reference
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) does not match the `v1` tag noted in
the trailing comment; either replace the SHA with the actual v1 commit
(3ac78a9b0a7b5bcf0b9a62c284129f3abffdebaa) or update the comment to accurately
describe the pinned ref (e.g., remove “# v1” and state the actual
tag/branch/commit) where the action is declared in the uses line (the line
containing
petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@...).

---

Nitpick comments:
In @.github/workflows/dependabot-automerge.yml:
- Line 38: The pinned action line using the full 40-character SHA plus the
inline "# v1" comment is correct—leave the uses reference
"petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@ee22b427cbce9ecadcf2b436acb57c3adf0cb63d
# v1" as-is; to enable automated SHA bumps, add a github-actions updater config
(Renovate or a Dependabot `version-update` entry) that targets that exact action
reference so the SHA can be automatically updated when new v1 patch releases are
published upstream.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8915bdb5-1a48-4ea5-8343-47355eaf8f13

📥 Commits

Reviewing files that changed from the base of the PR and between e9cd9cb and 098f46b.

📒 Files selected for processing (1)

• .github/workflows/dependabot-automerge.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm ee22b427cbce9ecadcf2b436acb57c3adf0cb63d resolves to the v1 tag
# in the petry-projects/.github repo and is NOT from a fork.

# 1. Resolve the v1 tag to its commit SHA
TAG_SHA=$(gh api repos/petry-projects/.github/git/refs/tags/v1 --jq '.object.sha' 2>/dev/null)
echo "v1 tag object SHA: $TAG_SHA"

# If the tag is an annotated tag object, dereference it to the commit SHA
DEREF_SHA=$(gh api "repos/petry-projects/.github/git/refs/tags/v1" --jq '.object.type' 2>/dev/null)
echo "v1 tag object type: $DEREF_SHA"

if [ "$DEREF_SHA" = "tag" ]; then
  COMMIT_SHA=$(gh api "repos/petry-projects/.github/git/tags/$TAG_SHA" --jq '.object.sha' 2>/dev/null)
  echo "Dereferenced commit SHA: $COMMIT_SHA"
fi

# 2. Confirm the pinned SHA exists as a commit in the repo (not a fork)
PINNED="ee22b427cbce9ecadcf2b436acb57c3adf0cb63d"
gh api "repos/petry-projects/.github/commits/$PINNED" --jq '.sha' 2>/dev/null \
  && echo "SHA $PINNED confirmed present in petry-projects/.github" \
  || echo "WARNING: SHA $PINNED NOT found in petry-projects/.github"

Repository: petry-projects/markets

Length of output: 283

---

SHA pin does not match the v1 tag — clarification required before merge.

The verification reveals a critical discrepancy: the pinned SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d exists in the petry-projects/.github repo but does NOT correspond to the v1 tag. The v1 tag points to commit 3ac78a9b0a7b5bcf0b9a62c284129f3abffdebaa — a different commit.

The # v1 comment is therefore inaccurate. Either:

• Confirm that ee22b427cbce9ecadcf2b436acb57c3adf0b63d is the intended commit and update the comment to reflect its actual ref (tag, branch, or commit description).
• Or pin to the correct v1 commit: 3ac78a9b0a7b5bcf0b9a62c284129f3abffdebaa.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-automerge.yml at line 38, The pinned SHA after
the action reference (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) does not match
the `v1` tag noted in the trailing comment; either replace the SHA with the
actual v1 commit (3ac78a9b0a7b5bcf0b9a62c284129f3abffdebaa) or update the
comment to accurately describe the pinned ref (e.g., remove “# v1” and state the
actual tag/branch/commit) where the action is declared in the uses line (the
line containing
petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@...).

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

@dev-lead - please fix this PR

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push