fix(ci): compliance fixes — secret-scan job, rust-toolchain SHA pin#216
fix(ci): compliance fixes — secret-scan job, rust-toolchain SHA pin#216don-petry wants to merge 0 commit into
Conversation
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR remediates compliance-audit findings in the .github standards repository by (1) adding the required full-history gitleaks CI job and (2) pinning an unpinned action dependency in the dependency audit workflow.
Changes:
- Added a
secret-scanjob to the main CI workflow to run gitleaks with full git history (fetch-depth: 0) and pinned action SHAs. - Pinned
dtolnay/rust-toolchainindependency-audit.ymlto a specific commit SHA.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/ci.yml | Adds the required secret-scan (gitleaks) job with pinned SHAs and full-history checkout. |
| .github/workflows/dependency-audit.yml | Pins dtolnay/rust-toolchain to a commit SHA to satisfy action pinning compliance. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 | ||
|
|
|
Auto-rebase blocked — the base branch contains Please rebase this branch manually: |
8387421 to
48609c6
Compare
|
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
Review — fix requested (cycle 1/3)The automated review identified the following issues. Please address each one: Findings to fix[Findings would be inserted here] Additional tasks
The review cascade will automatically re-review after new commits are pushed. |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Pull request was closed
16d5b38 to
761dd4a
Compare
|
Auto-rebase complete — PR branch Conflict resolution summaryThe PR was 3 commits behind
ResultAfter resolving all conflicts in favour of the base branch ( The branch has been force-updated to the current
|



Summary
Addresses compliance audit findings for the
petry-projects/.githubrepository (issue #215):secret_scan_ci_job_present— Addedsecret-scan(gitleaks) job to.github/workflows/ci.ymlper the push-protection standard. Uses pinned SHAff98106eforgitleaks-action@v2.3.9.unpinned-actions-dependency-audit.yml— Pinneddtolnay/rust-toolchain@stableto commit SHA29eef336in.github/workflows/dependency-audit.yml.check-suite-auto-trigger-1236702/check-suite-auto-trigger-347564— Disabled auto-trigger check suites for Claude and CodeRabbit via direct API PATCH (no file change required).Findings not in this PR
unpinned-actions-agent-shield.yml@v1) is exempt per Action Pinning Policy; file is also immutable perworkflow-exemptions.jsonunpinned-actions-claude.yml@main) is exempt; file is immutable per OIDC constraintcodeowners-org-leads-not-first/codeowners-no-catchall* @petry-projects/org-leadswhich satisfies both rulesallow_auto_merge/delete_branch_on_mergetruevia APIcodeql-default-setup-not-configuredstate=configuredvia APIsecurity_and_analysis_unavailableTest plan
secret-scanjob runs gitleaks with full history (fetch-depth: 0)dependency-audit.ymlaudit-cargojob uses the pinned SHACloses #215
Generated with Claude Code