feat: add compliance-remediate.sh — close the audit -> auto-fix -> PR loop#220
Conversation
|
Warning Review limit reached
More reviews will be available in 56 minutes and 25 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughA new Bash automation script reads compliance findings from JSON and performs repository auto-remediation via GitHub CLI. It supports direct API updates and PR-based fixes, maintains per-run reports, tracks counters, and supports DRY_RUN mode. Handlers cover repository settings, check-suite preferences, labels, CODEOWNERS generation, and GitHub Actions workflow SHA pinning. ChangesCompliance Remediation Script
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Adds an org-level remediation script that consumes findings.json from scripts/compliance-audit.sh and attempts to automatically resolve common compliance findings via direct GitHub API changes and PR-based fixes.
Changes:
- Introduces
scripts/compliance-remediate.shto apply direct remediations (repo settings, labels, check-suite preferences) from audit findings. - Adds PR-based remediation flows for CODEOWNERS standardization and GitHub Actions SHA pinning.
- Generates markdown reports summarizing remediations performed and findings skipped/failed.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@scripts/compliance-remediate.sh`:
- Around line 706-713: The current repos assignment silences jq parse/errors via
"|| echo ''" causing malformed FINDINGS_FILE to be treated as no findings;
remove the fallback and instead run jq to populate the repos variable and
immediately check its exit status (i.e., run repos=$(jq -r '[.[].repo] |
unique[]' "$FINDINGS_FILE" 2>/dev/null) and if jq fails — detect non-zero exit
code or empty output due to parse errors — call the script's error/fatal logging
function (e.g., error or fatal) with the jq error context and exit with a
non-zero status; ensure you reference FINDINGS_FILE and the repos variable and
do not swallow jq failures.
- Line 264: The script uses GNU-only base64 flags (e.g., base64 -w 0 and base64
-d) which break on macOS; add portable helper functions b64_encode() and
b64_decode() near the other helpers that detect GNU vs BSD base64 and call the
appropriate options, then replace all raw base64 invocations (e.g., the
encoded_content assignment and the other two occurrences where base64 is used)
to pipe through b64_encode or b64_decode as appropriate so encoding/decoding
works on both Linux and macOS.
- Around line 379-414: The gh API calls use action_part (which may include a
workflow path) instead of the repository slug; extract the repo slug as the
first two path components (e.g.,
repo_slug="${action_part%%/*}/${action_part#*/}" truncated to two components)
before the tag-resolution block and replace action_part with repo_slug in the
three gh api calls that assign ref_json and commit_sha (the calls using
"repos/$action_part/git/refs/tags/$tag_part",
"repos/$action_part/git/tags/$obj_sha", and
"repos/$action_part/commits?sha=$tag_part&per_page=1") so API paths become
"repos/$repo_slug/…". Ensure the new repo_slug variable is used consistently and
falls back to action_part if it cannot be parsed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: c46eb8fd-914c-4734-a2d8-a47f99280156
📒 Files selected for processing (1)
scripts/compliance-remediate.sh
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
8a49089 to
ae0f4c8
Compare
Superseded by automated re-review at
|
Superseded by automated re-review at
|
Superseded by automated re-review at
|
Automated review — human attention neededThis PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops. Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the Posted by the donpetry-bot PR-review cascade. |
|
@dev-lead - please fix this PR |
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
|
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: b27a353c6bb98414fda678d09afb39637b08e266
Review mode: triage-approved (single reviewer)
Summary
Adds scripts/compliance-remediate.sh (834 lines) — a new automation script that consumes findings.json from compliance-audit.sh and applies remediations. Direct API fixes for repo settings, labels, and check-suite preferences; PR-based fixes for CODEOWNERS and unpinned actions; skip-with-reason for everything else. Also drops a duplicate .dev-lead/ line in .gitignore. Closes #35. Triage tier cleared this as approvable — confirmation review concurs.
Linked issue analysis
Closes #35 (the audit → report → auto-fix → PR loop). The script implements exactly the dispatch surface described in the PR body: settings PATCHes, label creation, check-suite auto-trigger disabling, CODEOWNERS standardization to @petry-projects/org-leads, and Actions SHA pinning (including annotated-tag dereference). Items requiring workflow token scope or human judgment are explicitly skipped with actionable reasons, which matches the issue's scope boundary.
Findings
No blocking issues.
Prior CodeRabbit findings appear addressed in this head:
- jq parse errors are no longer swallowed —
repos=$(jq ... 2>/tmp/_cr_jq_err)checks the exit status anderr/exits on failure (line ~782). - Portable base64 —
b64_encode/b64_decodehelpers feature-detect GNU vs BSD (line ~91-107) and are used at all base64 call sites. - Action-pinning uses
repo_part(first two path components via awk) instead of the fullaction_partfor thegit/refs,git/tags, andcommitsAPI calls (line ~445), so reusable-workflow refs likeowner/repo/.github/workflows/x.yml@tagresolve correctly.
Other notable hygiene:
- Bash 4+ guard with macOS workaround hint.
set -uo pipefail(intentionally no-eso a single repo failure doesn't abort the batch — documented).- DRY_RUN supported on every mutation path.
- Branch cleanup (
git/refs DELETE) on Contents-API failure to avoid orphan branches. - Regex-escapes the matched
uses:ref before sed substitution. - Required env vars (
FINDINGS_FILE,GH_TOKEN) validated before any work.
Nit (non-blocking): the sed s|...|...|g substitution at line ~492 uses escaped_ref for the LHS but interpolates the unescaped action_part and commit_sha on the RHS. Both come from upstream YAML/API and won't contain | in practice, so it's safe today — worth keeping in mind if action names ever contain sed-special chars.
CI status
All required checks green: ShellCheck, CodeQL, SonarCloud (quality gate passed), AgentShield, gitleaks, Lint, dev-lead/dispatch, pr-auto-review. Ecosystem audits (npm/pnpm/pip/cargo/go) correctly SKIPPED — no manifests touched. mergeStateStatus is BLOCKED only because reviewDecision is REVIEW_REQUIRED (which this review resolves).
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
… loop (#220) * feat: add compliance-remediate.sh — close the audit → auto-fix → PR loop Adds `scripts/compliance-remediate.sh` to auto-remediate recurring compliance-audit findings from `findings.json`. Direct API remediations (applied immediately, no PR): - `has_wiki=true` → PATCH has_wiki=false - `allow_auto_merge=false` → PATCH allow_auto_merge=true - `delete_branch_on_merge=false` → PATCH delete_branch_on_merge=true - `has_discussions=false` → PATCH has_discussions=true - `check-suite-auto-trigger-*` → disable for Claude/CodeRabbit app IDs - `missing-label-*` → gh label create with colors/descriptions from standard PR-based remediations (creates branch + PR in target repo): - `missing-codeowners`, `codeowners-empty`, `codeowners-org-leads-not-first`, `codeowners-individual-users`, `codeowners-no-catchall` → generates `.github/CODEOWNERS` with `* @petry-projects/org-leads` per current standard - `unpinned-actions-<file.yml>` → resolves tag → commit SHA (handles annotated vs. lightweight tags), pins all unpinned refs, opens PR Skipped with explanation (for human/agent pickup): - Workflow files, rulesets, dependabot.yml, CLAUDE.md/AGENTS.md, CodeQL default setup, push-protection settings Improvements over prior attempts (claude/issue-35-20260406-0341): - CODEOWNERS generation uses `@petry-projects/org-leads` team (not individual users — forbidden per codeowners-standard.md updated 2026-05-04) - Handles all five CODEOWNERS finding variants, not just `missing-codeowners` - Adds `in-progress` label to the label map (was missing) - Adds check-suite auto-trigger remediation (new audit finding) - Bash 4+ version guard (consistent with apply-repo-settings.sh) Closes #35 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address ShellCheck warnings in compliance-remediate.sh - SC2034: Remove unused CHECK_SUITE_APP_IDS array (app_id extracted from finding check name at runtime, no static list needed) - SC2155: Split local declarations from command-substitution assignments (local branch_name; branch_name="...$(date ...)") - SC2221/SC2222: Move ci-workflows/missing-permissions-* before the more general ci-workflows/missing-* to prevent pattern override Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
… loop (#220) * feat: add compliance-remediate.sh — close the audit → auto-fix → PR loop Adds `scripts/compliance-remediate.sh` to auto-remediate recurring compliance-audit findings from `findings.json`. Direct API remediations (applied immediately, no PR): - `has_wiki=true` → PATCH has_wiki=false - `allow_auto_merge=false` → PATCH allow_auto_merge=true - `delete_branch_on_merge=false` → PATCH delete_branch_on_merge=true - `has_discussions=false` → PATCH has_discussions=true - `check-suite-auto-trigger-*` → disable for Claude/CodeRabbit app IDs - `missing-label-*` → gh label create with colors/descriptions from standard PR-based remediations (creates branch + PR in target repo): - `missing-codeowners`, `codeowners-empty`, `codeowners-org-leads-not-first`, `codeowners-individual-users`, `codeowners-no-catchall` → generates `.github/CODEOWNERS` with `* @petry-projects/org-leads` per current standard - `unpinned-actions-<file.yml>` → resolves tag → commit SHA (handles annotated vs. lightweight tags), pins all unpinned refs, opens PR Skipped with explanation (for human/agent pickup): - Workflow files, rulesets, dependabot.yml, CLAUDE.md/AGENTS.md, CodeQL default setup, push-protection settings Improvements over prior attempts (claude/issue-35-20260406-0341): - CODEOWNERS generation uses `@petry-projects/org-leads` team (not individual users — forbidden per codeowners-standard.md updated 2026-05-04) - Handles all five CODEOWNERS finding variants, not just `missing-codeowners` - Adds `in-progress` label to the label map (was missing) - Adds check-suite auto-trigger remediation (new audit finding) - Bash 4+ version guard (consistent with apply-repo-settings.sh) Closes #35 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address ShellCheck warnings in compliance-remediate.sh - SC2034: Remove unused CHECK_SUITE_APP_IDS array (app_id extracted from finding check name at runtime, no static list needed) - SC2155: Split local declarations from command-substitution assignments (local branch_name; branch_name="...$(date ...)") - SC2221/SC2222: Move ci-workflows/missing-permissions-* before the more general ci-workflows/missing-* to prevent pattern override Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
… loop (#220) * feat: add compliance-remediate.sh — close the audit → auto-fix → PR loop Adds `scripts/compliance-remediate.sh` to auto-remediate recurring compliance-audit findings from `findings.json`. Direct API remediations (applied immediately, no PR): - `has_wiki=true` → PATCH has_wiki=false - `allow_auto_merge=false` → PATCH allow_auto_merge=true - `delete_branch_on_merge=false` → PATCH delete_branch_on_merge=true - `has_discussions=false` → PATCH has_discussions=true - `check-suite-auto-trigger-*` → disable for Claude/CodeRabbit app IDs - `missing-label-*` → gh label create with colors/descriptions from standard PR-based remediations (creates branch + PR in target repo): - `missing-codeowners`, `codeowners-empty`, `codeowners-org-leads-not-first`, `codeowners-individual-users`, `codeowners-no-catchall` → generates `.github/CODEOWNERS` with `* @petry-projects/org-leads` per current standard - `unpinned-actions-<file.yml>` → resolves tag → commit SHA (handles annotated vs. lightweight tags), pins all unpinned refs, opens PR Skipped with explanation (for human/agent pickup): - Workflow files, rulesets, dependabot.yml, CLAUDE.md/AGENTS.md, CodeQL default setup, push-protection settings Improvements over prior attempts (claude/issue-35-20260406-0341): - CODEOWNERS generation uses `@petry-projects/org-leads` team (not individual users — forbidden per codeowners-standard.md updated 2026-05-04) - Handles all five CODEOWNERS finding variants, not just `missing-codeowners` - Adds `in-progress` label to the label map (was missing) - Adds check-suite auto-trigger remediation (new audit finding) - Bash 4+ version guard (consistent with apply-repo-settings.sh) Closes #35 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address ShellCheck warnings in compliance-remediate.sh - SC2034: Remove unused CHECK_SUITE_APP_IDS array (app_id extracted from finding check name at runtime, no static list needed) - SC2155: Split local declarations from command-substitution assignments (local branch_name; branch_name="...$(date ...)") - SC2221/SC2222: Move ci-workflows/missing-permissions-* before the more general ci-workflows/missing-* to prevent pattern override Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
… loop (#220) * feat: add compliance-remediate.sh — close the audit → auto-fix → PR loop Adds `scripts/compliance-remediate.sh` to auto-remediate recurring compliance-audit findings from `findings.json`. Direct API remediations (applied immediately, no PR): - `has_wiki=true` → PATCH has_wiki=false - `allow_auto_merge=false` → PATCH allow_auto_merge=true - `delete_branch_on_merge=false` → PATCH delete_branch_on_merge=true - `has_discussions=false` → PATCH has_discussions=true - `check-suite-auto-trigger-*` → disable for Claude/CodeRabbit app IDs - `missing-label-*` → gh label create with colors/descriptions from standard PR-based remediations (creates branch + PR in target repo): - `missing-codeowners`, `codeowners-empty`, `codeowners-org-leads-not-first`, `codeowners-individual-users`, `codeowners-no-catchall` → generates `.github/CODEOWNERS` with `* @petry-projects/org-leads` per current standard - `unpinned-actions-<file.yml>` → resolves tag → commit SHA (handles annotated vs. lightweight tags), pins all unpinned refs, opens PR Skipped with explanation (for human/agent pickup): - Workflow files, rulesets, dependabot.yml, CLAUDE.md/AGENTS.md, CodeQL default setup, push-protection settings Improvements over prior attempts (claude/issue-35-20260406-0341): - CODEOWNERS generation uses `@petry-projects/org-leads` team (not individual users — forbidden per codeowners-standard.md updated 2026-05-04) - Handles all five CODEOWNERS finding variants, not just `missing-codeowners` - Adds `in-progress` label to the label map (was missing) - Adds check-suite auto-trigger remediation (new audit finding) - Bash 4+ version guard (consistent with apply-repo-settings.sh) Closes #35 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address ShellCheck warnings in compliance-remediate.sh - SC2034: Remove unused CHECK_SUITE_APP_IDS array (app_id extracted from finding check name at runtime, no static list needed) - SC2155: Split local declarations from command-substitution assignments (local branch_name; branch_name="...$(date ...)") - SC2221/SC2222: Move ci-workflows/missing-permissions-* before the more general ci-workflows/missing-* to prevent pattern override Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
… loop (#220) * feat: add compliance-remediate.sh — close the audit → auto-fix → PR loop Adds `scripts/compliance-remediate.sh` to auto-remediate recurring compliance-audit findings from `findings.json`. Direct API remediations (applied immediately, no PR): - `has_wiki=true` → PATCH has_wiki=false - `allow_auto_merge=false` → PATCH allow_auto_merge=true - `delete_branch_on_merge=false` → PATCH delete_branch_on_merge=true - `has_discussions=false` → PATCH has_discussions=true - `check-suite-auto-trigger-*` → disable for Claude/CodeRabbit app IDs - `missing-label-*` → gh label create with colors/descriptions from standard PR-based remediations (creates branch + PR in target repo): - `missing-codeowners`, `codeowners-empty`, `codeowners-org-leads-not-first`, `codeowners-individual-users`, `codeowners-no-catchall` → generates `.github/CODEOWNERS` with `* @petry-projects/org-leads` per current standard - `unpinned-actions-<file.yml>` → resolves tag → commit SHA (handles annotated vs. lightweight tags), pins all unpinned refs, opens PR Skipped with explanation (for human/agent pickup): - Workflow files, rulesets, dependabot.yml, CLAUDE.md/AGENTS.md, CodeQL default setup, push-protection settings Improvements over prior attempts (claude/issue-35-20260406-0341): - CODEOWNERS generation uses `@petry-projects/org-leads` team (not individual users — forbidden per codeowners-standard.md updated 2026-05-04) - Handles all five CODEOWNERS finding variants, not just `missing-codeowners` - Adds `in-progress` label to the label map (was missing) - Adds check-suite auto-trigger remediation (new audit finding) - Bash 4+ version guard (consistent with apply-repo-settings.sh) Closes #35 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address ShellCheck warnings in compliance-remediate.sh - SC2034: Remove unused CHECK_SUITE_APP_IDS array (app_id extracted from finding check name at runtime, no static list needed) - SC2155: Split local declarations from command-substitution assignments (local branch_name; branch_name="...$(date ...)") - SC2221/SC2222: Move ci-workflows/missing-permissions-* before the more general ci-workflows/missing-* to prevent pattern override Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
… loop (#220) * feat: add compliance-remediate.sh — close the audit → auto-fix → PR loop Adds `scripts/compliance-remediate.sh` to auto-remediate recurring compliance-audit findings from `findings.json`. Direct API remediations (applied immediately, no PR): - `has_wiki=true` → PATCH has_wiki=false - `allow_auto_merge=false` → PATCH allow_auto_merge=true - `delete_branch_on_merge=false` → PATCH delete_branch_on_merge=true - `has_discussions=false` → PATCH has_discussions=true - `check-suite-auto-trigger-*` → disable for Claude/CodeRabbit app IDs - `missing-label-*` → gh label create with colors/descriptions from standard PR-based remediations (creates branch + PR in target repo): - `missing-codeowners`, `codeowners-empty`, `codeowners-org-leads-not-first`, `codeowners-individual-users`, `codeowners-no-catchall` → generates `.github/CODEOWNERS` with `* @petry-projects/org-leads` per current standard - `unpinned-actions-<file.yml>` → resolves tag → commit SHA (handles annotated vs. lightweight tags), pins all unpinned refs, opens PR Skipped with explanation (for human/agent pickup): - Workflow files, rulesets, dependabot.yml, CLAUDE.md/AGENTS.md, CodeQL default setup, push-protection settings Improvements over prior attempts (claude/issue-35-20260406-0341): - CODEOWNERS generation uses `@petry-projects/org-leads` team (not individual users — forbidden per codeowners-standard.md updated 2026-05-04) - Handles all five CODEOWNERS finding variants, not just `missing-codeowners` - Adds `in-progress` label to the label map (was missing) - Adds check-suite auto-trigger remediation (new audit finding) - Bash 4+ version guard (consistent with apply-repo-settings.sh) Closes #35 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address ShellCheck warnings in compliance-remediate.sh - SC2034: Remove unused CHECK_SUITE_APP_IDS array (app_id extracted from finding check name at runtime, no static list needed) - SC2155: Split local declarations from command-substitution assignments (local branch_name; branch_name="...$(date ...)") - SC2221/SC2222: Move ci-workflows/missing-permissions-* before the more general ci-workflows/missing-* to prevent pattern override Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
… loop (#220) * feat: add compliance-remediate.sh — close the audit → auto-fix → PR loop Adds `scripts/compliance-remediate.sh` to auto-remediate recurring compliance-audit findings from `findings.json`. Direct API remediations (applied immediately, no PR): - `has_wiki=true` → PATCH has_wiki=false - `allow_auto_merge=false` → PATCH allow_auto_merge=true - `delete_branch_on_merge=false` → PATCH delete_branch_on_merge=true - `has_discussions=false` → PATCH has_discussions=true - `check-suite-auto-trigger-*` → disable for Claude/CodeRabbit app IDs - `missing-label-*` → gh label create with colors/descriptions from standard PR-based remediations (creates branch + PR in target repo): - `missing-codeowners`, `codeowners-empty`, `codeowners-org-leads-not-first`, `codeowners-individual-users`, `codeowners-no-catchall` → generates `.github/CODEOWNERS` with `* @petry-projects/org-leads` per current standard - `unpinned-actions-<file.yml>` → resolves tag → commit SHA (handles annotated vs. lightweight tags), pins all unpinned refs, opens PR Skipped with explanation (for human/agent pickup): - Workflow files, rulesets, dependabot.yml, CLAUDE.md/AGENTS.md, CodeQL default setup, push-protection settings Improvements over prior attempts (claude/issue-35-20260406-0341): - CODEOWNERS generation uses `@petry-projects/org-leads` team (not individual users — forbidden per codeowners-standard.md updated 2026-05-04) - Handles all five CODEOWNERS finding variants, not just `missing-codeowners` - Adds `in-progress` label to the label map (was missing) - Adds check-suite auto-trigger remediation (new audit finding) - Bash 4+ version guard (consistent with apply-repo-settings.sh) Closes #35 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address ShellCheck warnings in compliance-remediate.sh - SC2034: Remove unused CHECK_SUITE_APP_IDS array (app_id extracted from finding check name at runtime, no static list needed) - SC2155: Split local declarations from command-substitution assignments (local branch_name; branch_name="...$(date ...)") - SC2221/SC2222: Move ci-workflows/missing-permissions-* before the more general ci-workflows/missing-* to prevent pattern override Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
… loop (#220) * feat: add compliance-remediate.sh — close the audit → auto-fix → PR loop Adds `scripts/compliance-remediate.sh` to auto-remediate recurring compliance-audit findings from `findings.json`. Direct API remediations (applied immediately, no PR): - `has_wiki=true` → PATCH has_wiki=false - `allow_auto_merge=false` → PATCH allow_auto_merge=true - `delete_branch_on_merge=false` → PATCH delete_branch_on_merge=true - `has_discussions=false` → PATCH has_discussions=true - `check-suite-auto-trigger-*` → disable for Claude/CodeRabbit app IDs - `missing-label-*` → gh label create with colors/descriptions from standard PR-based remediations (creates branch + PR in target repo): - `missing-codeowners`, `codeowners-empty`, `codeowners-org-leads-not-first`, `codeowners-individual-users`, `codeowners-no-catchall` → generates `.github/CODEOWNERS` with `* @petry-projects/org-leads` per current standard - `unpinned-actions-<file.yml>` → resolves tag → commit SHA (handles annotated vs. lightweight tags), pins all unpinned refs, opens PR Skipped with explanation (for human/agent pickup): - Workflow files, rulesets, dependabot.yml, CLAUDE.md/AGENTS.md, CodeQL default setup, push-protection settings Improvements over prior attempts (claude/issue-35-20260406-0341): - CODEOWNERS generation uses `@petry-projects/org-leads` team (not individual users — forbidden per codeowners-standard.md updated 2026-05-04) - Handles all five CODEOWNERS finding variants, not just `missing-codeowners` - Adds `in-progress` label to the label map (was missing) - Adds check-suite auto-trigger remediation (new audit finding) - Bash 4+ version guard (consistent with apply-repo-settings.sh) Closes #35 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address ShellCheck warnings in compliance-remediate.sh - SC2034: Remove unused CHECK_SUITE_APP_IDS array (app_id extracted from finding check name at runtime, no static list needed) - SC2155: Split local declarations from command-substitution assignments (local branch_name; branch_name="...$(date ...)") - SC2221/SC2222: Move ci-workflows/missing-permissions-* before the more general ci-workflows/missing-* to prevent pattern override Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
… loop (#220) * feat: add compliance-remediate.sh — close the audit → auto-fix → PR loop Adds `scripts/compliance-remediate.sh` to auto-remediate recurring compliance-audit findings from `findings.json`. Direct API remediations (applied immediately, no PR): - `has_wiki=true` → PATCH has_wiki=false - `allow_auto_merge=false` → PATCH allow_auto_merge=true - `delete_branch_on_merge=false` → PATCH delete_branch_on_merge=true - `has_discussions=false` → PATCH has_discussions=true - `check-suite-auto-trigger-*` → disable for Claude/CodeRabbit app IDs - `missing-label-*` → gh label create with colors/descriptions from standard PR-based remediations (creates branch + PR in target repo): - `missing-codeowners`, `codeowners-empty`, `codeowners-org-leads-not-first`, `codeowners-individual-users`, `codeowners-no-catchall` → generates `.github/CODEOWNERS` with `* @petry-projects/org-leads` per current standard - `unpinned-actions-<file.yml>` → resolves tag → commit SHA (handles annotated vs. lightweight tags), pins all unpinned refs, opens PR Skipped with explanation (for human/agent pickup): - Workflow files, rulesets, dependabot.yml, CLAUDE.md/AGENTS.md, CodeQL default setup, push-protection settings Improvements over prior attempts (claude/issue-35-20260406-0341): - CODEOWNERS generation uses `@petry-projects/org-leads` team (not individual users — forbidden per codeowners-standard.md updated 2026-05-04) - Handles all five CODEOWNERS finding variants, not just `missing-codeowners` - Adds `in-progress` label to the label map (was missing) - Adds check-suite auto-trigger remediation (new audit finding) - Bash 4+ version guard (consistent with apply-repo-settings.sh) Closes #35 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address ShellCheck warnings in compliance-remediate.sh - SC2034: Remove unused CHECK_SUITE_APP_IDS array (app_id extracted from finding check name at runtime, no static list needed) - SC2155: Split local declarations from command-substitution assignments (local branch_name; branch_name="...$(date ...)") - SC2221/SC2222: Move ci-workflows/missing-permissions-* before the more general ci-workflows/missing-* to prevent pattern override Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
… loop (#220) * feat: add compliance-remediate.sh — close the audit → auto-fix → PR loop Adds `scripts/compliance-remediate.sh` to auto-remediate recurring compliance-audit findings from `findings.json`. Direct API remediations (applied immediately, no PR): - `has_wiki=true` → PATCH has_wiki=false - `allow_auto_merge=false` → PATCH allow_auto_merge=true - `delete_branch_on_merge=false` → PATCH delete_branch_on_merge=true - `has_discussions=false` → PATCH has_discussions=true - `check-suite-auto-trigger-*` → disable for Claude/CodeRabbit app IDs - `missing-label-*` → gh label create with colors/descriptions from standard PR-based remediations (creates branch + PR in target repo): - `missing-codeowners`, `codeowners-empty`, `codeowners-org-leads-not-first`, `codeowners-individual-users`, `codeowners-no-catchall` → generates `.github/CODEOWNERS` with `* @petry-projects/org-leads` per current standard - `unpinned-actions-<file.yml>` → resolves tag → commit SHA (handles annotated vs. lightweight tags), pins all unpinned refs, opens PR Skipped with explanation (for human/agent pickup): - Workflow files, rulesets, dependabot.yml, CLAUDE.md/AGENTS.md, CodeQL default setup, push-protection settings Improvements over prior attempts (claude/issue-35-20260406-0341): - CODEOWNERS generation uses `@petry-projects/org-leads` team (not individual users — forbidden per codeowners-standard.md updated 2026-05-04) - Handles all five CODEOWNERS finding variants, not just `missing-codeowners` - Adds `in-progress` label to the label map (was missing) - Adds check-suite auto-trigger remediation (new audit finding) - Bash 4+ version guard (consistent with apply-repo-settings.sh) Closes #35 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address ShellCheck warnings in compliance-remediate.sh - SC2034: Remove unused CHECK_SUITE_APP_IDS array (app_id extracted from finding check name at runtime, no static list needed) - SC2155: Split local declarations from command-substitution assignments (local branch_name; branch_name="...$(date ...)") - SC2221/SC2222: Move ci-workflows/missing-permissions-* before the more general ci-workflows/missing-* to prevent pattern override Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
… loop (#220) * feat: add compliance-remediate.sh — close the audit → auto-fix → PR loop Adds `scripts/compliance-remediate.sh` to auto-remediate recurring compliance-audit findings from `findings.json`. Direct API remediations (applied immediately, no PR): - `has_wiki=true` → PATCH has_wiki=false - `allow_auto_merge=false` → PATCH allow_auto_merge=true - `delete_branch_on_merge=false` → PATCH delete_branch_on_merge=true - `has_discussions=false` → PATCH has_discussions=true - `check-suite-auto-trigger-*` → disable for Claude/CodeRabbit app IDs - `missing-label-*` → gh label create with colors/descriptions from standard PR-based remediations (creates branch + PR in target repo): - `missing-codeowners`, `codeowners-empty`, `codeowners-org-leads-not-first`, `codeowners-individual-users`, `codeowners-no-catchall` → generates `.github/CODEOWNERS` with `* @petry-projects/org-leads` per current standard - `unpinned-actions-<file.yml>` → resolves tag → commit SHA (handles annotated vs. lightweight tags), pins all unpinned refs, opens PR Skipped with explanation (for human/agent pickup): - Workflow files, rulesets, dependabot.yml, CLAUDE.md/AGENTS.md, CodeQL default setup, push-protection settings Improvements over prior attempts (claude/issue-35-20260406-0341): - CODEOWNERS generation uses `@petry-projects/org-leads` team (not individual users — forbidden per codeowners-standard.md updated 2026-05-04) - Handles all five CODEOWNERS finding variants, not just `missing-codeowners` - Adds `in-progress` label to the label map (was missing) - Adds check-suite auto-trigger remediation (new audit finding) - Bash 4+ version guard (consistent with apply-repo-settings.sh) Closes #35 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address ShellCheck warnings in compliance-remediate.sh - SC2034: Remove unused CHECK_SUITE_APP_IDS array (app_id extracted from finding check name at runtime, no static list needed) - SC2155: Split local declarations from command-substitution assignments (local branch_name; branch_name="...$(date ...)") - SC2221/SC2222: Move ci-workflows/missing-permissions-* before the more general ci-workflows/missing-* to prevent pattern override Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
… loop (#220) * feat: add compliance-remediate.sh — close the audit → auto-fix → PR loop Adds `scripts/compliance-remediate.sh` to auto-remediate recurring compliance-audit findings from `findings.json`. Direct API remediations (applied immediately, no PR): - `has_wiki=true` → PATCH has_wiki=false - `allow_auto_merge=false` → PATCH allow_auto_merge=true - `delete_branch_on_merge=false` → PATCH delete_branch_on_merge=true - `has_discussions=false` → PATCH has_discussions=true - `check-suite-auto-trigger-*` → disable for Claude/CodeRabbit app IDs - `missing-label-*` → gh label create with colors/descriptions from standard PR-based remediations (creates branch + PR in target repo): - `missing-codeowners`, `codeowners-empty`, `codeowners-org-leads-not-first`, `codeowners-individual-users`, `codeowners-no-catchall` → generates `.github/CODEOWNERS` with `* @petry-projects/org-leads` per current standard - `unpinned-actions-<file.yml>` → resolves tag → commit SHA (handles annotated vs. lightweight tags), pins all unpinned refs, opens PR Skipped with explanation (for human/agent pickup): - Workflow files, rulesets, dependabot.yml, CLAUDE.md/AGENTS.md, CodeQL default setup, push-protection settings Improvements over prior attempts (claude/issue-35-20260406-0341): - CODEOWNERS generation uses `@petry-projects/org-leads` team (not individual users — forbidden per codeowners-standard.md updated 2026-05-04) - Handles all five CODEOWNERS finding variants, not just `missing-codeowners` - Adds `in-progress` label to the label map (was missing) - Adds check-suite auto-trigger remediation (new audit finding) - Bash 4+ version guard (consistent with apply-repo-settings.sh) Closes #35 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address ShellCheck warnings in compliance-remediate.sh - SC2034: Remove unused CHECK_SUITE_APP_IDS array (app_id extracted from finding check name at runtime, no static list needed) - SC2155: Split local declarations from command-substitution assignments (local branch_name; branch_name="...$(date ...)") - SC2221/SC2222: Move ci-workflows/missing-permissions-* before the more general ci-workflows/missing-* to prevent pattern override Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>



Summary
Adds
scripts/compliance-remediate.shto close the audit → report → auto-fix → PR loop from #35. The script readsfindings.jsonfromcompliance-audit.shand applies automatic remediations.Closes #35
Direct API remediations (applied immediately, no PR)
has_wiki=truehas_wiki=falseallow_auto_merge=falseallow_auto_merge=truedelete_branch_on_merge=falsedelete_branch_on_merge=truehas_discussions=falsehas_discussions=truecheck-suite-auto-trigger-<app_id>missing-label-<name>gh label createwith correct colors/descriptions per standardPR-based remediations (creates branch + PR in target repo)
missing-codeowners,codeowners-empty,codeowners-org-leads-not-first,codeowners-individual-users,codeowners-no-catchall.github/CODEOWNERSwith* @petry-projects/org-leadsper current standardunpinned-actions-<file.yml>Skipped with explanation (for human/agent pickup)
Missing workflow files, rulesets,
dependabot.yml,CLAUDE.md/AGENTS.md, CodeQL default setup, push-protection settingsUsage
Workflow integration snippet
Add a
remediatejob tocompliance-audit-and-improvement.ymlafter theauditjob:Improvements over prior attempts (
claude/issue-35-20260406-0341)* @petry-projects/org-leads(not individual users — forbidden per codeowners-standard.md updated 2026-05-04)missing-codeownersin-progresslabel: Added to label map (was missing in prior versions)check-suite-auto-trigger-*findings that block auto-mergeapply-repo-settings.shGenerated with Claude Code
Summary by CodeRabbit