Skip to content

fix(ci): compliance fixes — secret-scan job, rust-toolchain SHA pin#216

Closed
don-petry wants to merge 0 commit into
mainfrom
claude/issue-215-20260508-1420
Closed

fix(ci): compliance fixes — secret-scan job, rust-toolchain SHA pin#216
don-petry wants to merge 0 commit into
mainfrom
claude/issue-215-20260508-1420

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Summary

Addresses compliance audit findings for the petry-projects/.github repository (issue #215):

  • secret_scan_ci_job_present — Added secret-scan (gitleaks) job to .github/workflows/ci.yml per the push-protection standard. Uses pinned SHA ff98106e for gitleaks-action@v2.3.9.
  • unpinned-actions-dependency-audit.yml — Pinned dtolnay/rust-toolchain@stable to commit SHA 29eef336 in .github/workflows/dependency-audit.yml.
  • check-suite-auto-trigger-1236702 / check-suite-auto-trigger-347564 — Disabled auto-trigger check suites for Claude and CodeRabbit via direct API PATCH (no file change required).

Findings not in this PR

Finding Reason
unpinned-actions-agent-shield.yml False positive — internal reusable ref (@v1) is exempt per Action Pinning Policy; file is also immutable per workflow-exemptions.json
unpinned-actions-claude.yml False positive — internal reusable ref (@main) is exempt; file is immutable per OIDC constraint
codeowners-org-leads-not-first / codeowners-no-catchall Verified false positives — CODEOWNERS already has * @petry-projects/org-leads which satisfies both rules
allow_auto_merge / delete_branch_on_merge Already correct — confirmed true via API
codeql-default-setup-not-configured Already configured — confirmed state=configured via API
security_and_analysis_unavailable Warning only — requires org admin PAT to remediate

Test plan

  • CI passes (lint, shellcheck, agent-security, secret-scan)
  • secret-scan job runs gitleaks with full history (fetch-depth: 0)
  • dependency-audit.yml audit-cargo job uses the pinned SHA

Closes #215

Generated with Claude Code

@don-petry don-petry requested a review from a team as a code owner May 8, 2026 14:29
Copilot AI review requested due to automatic review settings May 8, 2026 14:29
@coderabbitai

coderabbitai Bot commented May 8, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 11 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 68c3139e-a106-4737-a333-44c33ee07693

📥 Commits

Reviewing files that changed from the base of the PR and between 575df99 and 16d5b38.

📒 Files selected for processing (2)
  • .github/workflows/ci.yml
  • .github/workflows/dependency-audit.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-215-20260508-1420

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR remediates compliance-audit findings in the .github standards repository by (1) adding the required full-history gitleaks CI job and (2) pinning an unpinned action dependency in the dependency audit workflow.

Changes:

  • Added a secret-scan job to the main CI workflow to run gitleaks with full git history (fetch-depth: 0) and pinned action SHAs.
  • Pinned dtolnay/rust-toolchain in dependency-audit.yml to a specific commit SHA.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/ci.yml Adds the required secret-scan (gitleaks) job with pinned SHAs and full-history checkout.
.github/workflows/dependency-audit.yml Pins dtolnay/rust-toolchain to a commit SHA to satisfy action pinning compliance.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 158 to 161
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4

@github-actions

Copy link
Copy Markdown
Contributor

Auto-rebase blocked — the base branch contains .github/workflows/ changes that require the workflows permission to merge into this branch, but the auto-rebase workflow's token does not have that permission.

Please rebase this branch manually:

git fetch origin
git rebase origin/main
git push --force-with-lease

@don-petry don-petry enabled auto-merge (squash) May 12, 2026 01:42
@don-petry don-petry force-pushed the claude/issue-215-20260508-1420 branch from 8387421 to 48609c6 Compare May 13, 2026 16:59
@sonarqubecloud

Copy link
Copy Markdown

@github-actions

Copy link
Copy Markdown
Contributor

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@donpetry-bot

Copy link
Copy Markdown
Contributor

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

  1. Resolve all unresolved review thread comments from other reviewers
  2. Ensure all CI checks pass after your changes
  3. Rebase on the target branch if behind
  4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry don-petry closed this May 14, 2026
auto-merge was automatically disabled May 14, 2026 15:33

Pull request was closed

@don-petry don-petry force-pushed the claude/issue-215-20260508-1420 branch from 16d5b38 to 761dd4a Compare May 14, 2026 15:33
@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase complete — PR branch claude/issue-215-20260508-1420 has been rebased onto main.

Conflict resolution summary

The PR was 3 commits behind main. Two of those commits (6f46503) touched the same files as this PR and caused merge conflicts:

File Conflict Resolution
.github/workflows/ci.yml PR adds gitleaks/gitleaks-action (requires GITLEAKS_LICENSE); main already has a self-contained manual gitleaks install (uses .gitleaks.toml, no license needed) via #277 Kept base branch (main) — newer, better implementation
.github/workflows/dependency-audit.yml Both sides pin dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 Identical on both sides — no real conflict

Result

After resolving all conflicts in favour of the base branch (main), this PR has zero net diff against main — the changes it set out to make (secret-scan job + dtolnay SHA pin) were already fully incorporated into main via PR #277 (6f46503).

The branch has been force-updated to the current main HEAD:

New HEAD: 761dd4a (fix: disable check-suite auto-trigger for Claude and CodeRabbit on .github (#275))
Status:   identical to main (0 commits ahead, 0 behind)

Note: Because the PR's changes are already in main, this PR can likely be closed as superseded by #277. If you intended additional changes, please update the branch with new commits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance audit — 2026-05-08

3 participants