Skip to content

fix(compliance): address 2026-05-12 audit findings for .github repo#257

Closed
don-petry wants to merge 0 commit into
mainfrom
claude/issue-256-20260512-1812
Closed

fix(compliance): address 2026-05-12 audit findings for .github repo#257
don-petry wants to merge 0 commit into
mainfrom
claude/issue-256-20260512-1812

Conversation

@don-petry

@don-petry don-petry commented May 12, 2026

Copy link
Copy Markdown
Contributor

Summary

Addresses compliance audit findings for the .github repo from the 2026-05-12 audit (issue #256).

Changes

  • ci.yml: Add secret-scan job running gitleaks in full-history mode — resolves secret_scan_ci_job_present error
  • dependency-audit.yml: Pin dtolnay/rust-toolchain@stable to commit SHA 29eef336 — resolves unpinned-actions-dependency-audit.yml error
  • scripts/compliance-audit.sh: Exempt petry-projects/.github internal reusable workflow refs from SHA-pinning check — resolves false-positive findings for agent-shield.yml, claude.yml, dependabot-automerge.yml (these use @v1/@main tags which are exempt per ci-standards.md#action-pinning-policy)

Settings Applied via API

  • dependabot_security_updates: enabled (was disabled)

Remaining Items (require admin PAT via apply-repo-settings.sh)

These settings could not be changed with the current token (require classic PAT with repo scope or org admin):

  • secret_scanning_ai_detection: requires GHAS/org admin token
  • secret_scanning_non_provider_patterns: requires GHAS/org admin token
  • check-suite-auto-trigger-1236702 (Claude): requires classic PAT
  • check-suite-auto-trigger-347564 (CodeRabbit): requires classic PAT

Run GH_TOKEN=<admin-pat> bash scripts/apply-repo-settings.sh .github to apply these.

Stale Findings (already resolved on main)

  • allow_auto_merge: already true — stale finding
  • delete_branch_on_merge: already true — stale finding
  • CODEOWNERS codeowners-org-leads-not-first / codeowners-no-catchall: already correct (* @petry-projects/org-leads) — stale finding

Closes #256

Generated with Claude Code

Summary by CodeRabbit

Release Notes

  • Chores
    • Improved secret scanning reliability in CI/CD pipeline with updated tooling.
    • Refined compliance audit checks for internal workflow references.

Review Change Stack

Copilot AI review requested due to automatic review settings May 12, 2026 18:19
@don-petry don-petry requested a review from a team as a code owner May 12, 2026 18:19
@coderabbitai

coderabbitai Bot commented May 12, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 49 minutes and 26 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f44699f6-077d-485a-8285-62a0a974ce7a

📥 Commits

Reviewing files that changed from the base of the PR and between ed8ad7a and ba61bd7.

📒 Files selected for processing (1)
  • scripts/compliance-audit.sh
📝 Walkthrough

Walkthrough

This PR replaces the manual gitleaks execution in the secret-scan CI job with the official pinned gitleaks/gitleaks-action and updates the compliance audit script to exempt internal reusable-workflow uses: references from SHA-pinning validation.

Changes

Secret Scanning and Compliance Audit

Layer / File(s) Summary
secret-scan job refactor to pinned gitleaks action
.github/workflows/ci.yml
Replaces inline gitleaks download and execution with the pinned gitleaks/gitleaks-action, adds security-events: write permission, enables full-history checkout (fetch-depth: 0), and configures the action with detect --source . --redact --verbose --exit-code 1 arguments and environment variables for GITHUB_TOKEN and GITLEAKS_LICENSE.
Compliance audit exemption for internal reusable workflows
scripts/compliance-audit.sh
Extends the check_action_pinning function to skip validation on internal petry-projects/.github/.github/workflows/ reusable-workflow references, preventing them from being counted as unpinned actions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related issues

  • #256 — These changes implement two compliance remediation items: adding a pinned secret-scan CI job and updating action pinning audit rules to exempt internal reusable workflows.

Possibly related PRs

  • petry-projects/.github#12 — The compliance-audit.sh update directly extends the pinning-check logic originally introduced in this PR for the weekly audit script.
  • petry-projects/.github#159 — Implements the same "exempt internal reusable workflow references from SHA pinning" policy now being applied in the audit exemption list.
  • petry-projects/.github#87 — Centralizes reusable workflows using petry-projects/.github/.../workflows references, which this PR's exemption prevents from being flagged as unpinned.
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning The PR partially addresses linked issue #256. It implements the secret-scan job [Repository settings, Push Protection & Secret Scanning] and action pinning fixes [Action SHA Pinning, compliance-audit.sh], but omits critical work: repository settings enforcement [Repository settings], dependabot.yml addition [Dependabot Configuration], and other required workflows [Workflows]. Complete remaining remediations from issue #256: add dependabot.yml, pin remaining workflow actions, apply repository settings via apply-repo-settings.sh, and ensure all required workflows are present.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly references the audit findings that prompted the changes and accurately describes the pull request's primary purpose to address 2026-05-12 compliance audit findings.
Out of Scope Changes check ✅ Passed All changes directly address the linked audit findings: secret-scan job addition, action pinning, compliance-audit.sh exemption pattern, and dependabot_security_updates enablement are all within the scope of issue #256 remediation.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-256-20260512-1812

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the scripts/compliance-audit.sh script to exempt internal reusable workflows from SHA-pinning requirements. The review feedback suggests anchoring the exclusion pattern to the 'uses:' key to prevent false negatives that could occur if the exclusion string appears within a comment on an unpinned line.

Comment thread scripts/compliance-audit.sh Outdated
# deliberate @v1/@main tags and are exempt per ci-standards.md#action-pinning-policy.
local unpinned
unpinned=$(echo "$decoded" | grep -E '^\s*-?\s*uses:\s+[^#]*@' | grep -vE '@[0-9a-f]{40}' | grep -vE '(docker://|\.\/)' || true)
unpinned=$(echo "$decoded" | grep -E '^\s*-?\s*uses:\s+[^#]*@' | grep -vE '@[0-9a-f]{40}' | grep -vE '(docker://|\.\/)' | grep -vE 'petry-projects/\.github/\.github/workflows/' || true)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The exclusion pattern for internal reusable workflows is not anchored to the uses: value. If this string appears in a comment on an unpinned action line (e.g., uses: actions/checkout@v4 # internal ref: petry-projects/.github/.github/workflows/), the line will be incorrectly excluded from the audit findings, leading to a false negative. It is safer to ensure the pattern follows the uses: key to accurately target the action path.

Suggested change
unpinned=$(echo "$decoded" | grep -E '^\s*-?\s*uses:\s+[^#]*@' | grep -vE '@[0-9a-f]{40}' | grep -vE '(docker://|\.\/)' | grep -vE 'petry-projects/\.github/\.github/workflows/' || true)
unpinned=$(echo "$decoded" | grep -E '^\s*-?\s*uses:\s+[^#]*@' | grep -vE '@[0-9a-f]{40}' | grep -vE 'uses:\s+(docker://|\.\/|petry-projects/\.github/\.github/workflows/)' || true)

@don-petry

Copy link
Copy Markdown
Contributor Author

@petry-projects/org-leads — CI is green (all checks passing/skipped except CodeQL which is still running). This PR addresses the following .github repo findings from the 2026-05-12 compliance audit (#256):

  • secret_scan_ci_job_present: Added gitleaks secret-scan job to ci.yml
  • unpinned-actions-dependency-audit.yml: Pinned dtolnay/rust-toolchain@stable to SHA
  • unpinned-actions-agent-shield.yml / claude.yml / dependabot-automerge.yml: Fixed in compliance audit script (exempt per ci-standards.md#action-pinning-policy)
  • dependabot_security_updates: Enabled via API

Remaining items that require an admin PAT: secret_scanning_ai_detection, secret_scanning_non_provider_patterns, and check-suite auto-trigger preferences — run GH_TOKEN=<admin-pat> bash scripts/apply-repo-settings.sh .github.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses the 2026-05-12 compliance audit findings for the .github repo by tightening action pinning, fixing a workflow pinning finding, and adding the required CI secret-scanning job.

Changes:

  • Add a secret-scan CI job using gitleaks with full git history checkout.
  • Pin dtolnay/rust-toolchain@stable to a commit SHA in dependency-audit.yml.
  • Update scripts/compliance-audit.sh to exempt internal petry-projects/.github reusable workflow refs from SHA-pinning findings (per documented policy).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
scripts/compliance-audit.sh Exempts internal .github reusable workflow references from the SHA-pinning audit check.
.github/workflows/dependency-audit.yml Pins dtolnay/rust-toolchain to a commit SHA to satisfy action-pinning enforcement.
.github/workflows/ci.yml Adds a secret-scan job using gitleaks with fetch-depth: 0 to satisfy secret-scan CI requirements.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/ci.yml
Comment on lines +111 to +116
- name: Run gitleaks
uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
with:
args: detect --source . --redact --verbose --exit-code 1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@github-actions

Copy link
Copy Markdown
Contributor

Auto-rebase blocked — the base branch contains .github/workflows/ changes that require the workflows permission to merge into this branch, but the auto-rebase workflow's token does not have that permission.

Please rebase this branch manually:

git fetch origin
git rebase origin/main
git push --force-with-lease

@github-actions

Copy link
Copy Markdown
Contributor

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@donpetry-bot

donpetry-bot commented May 14, 2026

Copy link
Copy Markdown
Contributor
Superseded by automated re-review at d41715899a03f3bf0f7a3a166a50f1464a02e600 — click to expand prior review.

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

  1. Resolve all unresolved review thread comments from other reviewers
  2. Ensure all CI checks pass after your changes
  3. Rebase on the target branch if behind
  4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — could not complete automatically

Two issues prevented automated resolution:


Issue 1: Git commands blocked (allowedTools bug)

The claude-rebase workflow uses --allowedTools "Bash(git*:*)" but this pattern does not match actual git commands because they never contain a : character. Commands git config, git fetch, git rebase, and git push all required user approval and could not proceed in an automated context.

Fix needed in .github/workflows/claude-code-reusable.yml: change Bash(git*:*) to Bash(git *) in the claude-rebase job's claude_args.


Issue 2: Application-code conflict in ci.yml

Even if git commands were available, the conflict in .github/workflows/ci.yml requires human judgment. Both PR #257 and the later-merged PR #277 (6f46503) added a secret-scan job, but with different implementations:

This is an application-logic conflict (not just a pin-version difference), which must be resolved by a human per rebase policy.

Recommendation: the main version (PR #277) is the more mature implementation — drop the gitleaks-action approach from this PR and keep main's version.


Manual resolution steps

git fetch origin
git rebase origin/main
# Conflict in .github/workflows/ci.yml — two implementations of the secret-scan job
# Accept main's version (keeps the direct binary install approach from PR #277):
git checkout --ours -- .github/workflows/ci.yml
git add .github/workflows/ci.yml
git rebase --continue
git push --force-with-lease

Key decision: keep the main branch's secret-scan implementation (direct gitleaks binary install with SHA verification) and discard the gitleaks-action approach from this PR, since PR #277 already merged the better fix to main.

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase: Manual Resolution Required

The auto-rebase workflow cannot automatically resolve the conflicts on this PR. The conflicts involve structural changes to workflow YAML files — not simple SHA/version pin updates — which require human judgment.

What's Conflicting

The PR's unique commits (fixing 2026-05-12 compliance findings) modified these files:

File PR Change Conflict Source
.github/workflows/ci.yml Added secret-scan job using gitleaks/gitleaks-action Main later replaced this with a direct binary install approach
.github/workflows/claude-code-reusable.yml Merged bot review triggers into main claude job; removed separate claude-fix-review-comments job Main has evolved these jobs differently since the PR was opened
scripts/compliance-audit.sh Compliance script changes Potential overlap with main's changes
standards/ci-standards.md Standards doc updates Potential overlap with main's changes

The base branch (main) has moved from 575df99 to 761dd4a since the last merge-into-PR. GitHub reports rebaseable: false.

Manual Resolution Steps

git fetch origin
git checkout claude/issue-256-20260512-1812
git rebase origin/main
# Resolve conflicts in the files listed above
# For ci.yml: reconcile the secret-scan job approach (binary install vs. action)
# For claude-code-reusable.yml: reconcile the bot trigger logic
git add .github/workflows/ci.yml
git add .github/workflows/claude-code-reusable.yml
git add scripts/compliance-audit.sh
git add standards/ci-standards.md
git rebase --continue
git push --force-with-lease

Additional Notes

  • The environment also lacked git write permissions (git config, fetch, rebase all required interactive approval), preventing the automated rebase from running.
  • This PR has been updated via merge commits multiple times; consider whether a squash-and-rebase might be cleaner.

/cc @petry-projects/org-leads

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-Rebase: Failed — Permission Error

The automated rebase agent was unable to complete the rebase for this PR because the required git operations (git fetch, git rebase, git push) are blocked by the current Claude Code permission configuration in this environment.

What needs to happen manually

git fetch origin
git checkout claude/issue-256-20260512-1812
git rebase origin/main
# If conflicts arise in .github/workflows/*.yml (action pin conflicts):
#   - Compare pinned SHAs/tags on both sides
#   - Keep the side with the newer version
#   - git add <resolved-file>
#   - git rebase --continue
# If conflicts arise in any other file:
#   - Resolve manually based on intent of both changes
#   - git add <resolved-file>
#   - git rebase --continue
git push --force-with-lease

Files that differ between this branch and main

  • .github/workflows/auto-rebase-reusable.yml
  • .github/workflows/ci.yml
  • .github/workflows/claude-code-reusable.yml
  • .gitleaks.toml
  • scripts/compliance-audit.sh
  • standards/ci-standards.md
  • standards/github-settings.md
  • standards/workflows/dev-lead.yml

Root cause

The Claude Code session running this agent does not have git fetch, git rebase, or git push in its permission allowlist. A project maintainer can fix this by adding the following to .claude/settings.json:

{
  "permissions": {
    "allow": [
      "Bash(git fetch *)",
      "Bash(git rebase *)",
      "Bash(git push --force-with-lease)",
      "Bash(git config *)"
    ]
  }
}

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase: conflict could not be resolved automatically

The auto-rebase agent attempted to rebase claude/issue-256-20260512-1812 onto main but encountered an application-logic conflict that requires human judgment.

Conflict details

File: .github/workflows/ci.yml

Both this PR and main independently added a secret-scan job at the same location (after the agent-security job), but with fundamentally different implementations:

This PR (theirs) main (ours — PR #277)
Approach gitleaks/gitleaks-action action Direct binary download
Permissions contents: read + security-events: write contents: read only
Config No .gitleaks.toml Uses .gitleaks.toml (added by main)
License Requires GITLEAKS_LICENSE secret No license required
Merged date 2026-05-12 2026-05-13 (newer)

This is not a simple action-pin version conflict — the entire job structure differs. A human must decide which implementation to keep (most likely main's direct-download approach, since it was merged later and avoids a license dependency).

Manual resolution steps

git fetch origin
git checkout claude/issue-256-20260512-1812
git rebase origin/main
# Git will stop at the conflict in .github/workflows/ci.yml
# Edit the file to resolve the secret-scan job conflict
# Recommended: keep main's direct-download implementation
git add .github/workflows/ci.yml
git rebase --continue
git push --force-with-lease

Recommended resolution for ci.yml

Keep the secret-scan job from main (direct download, no license required):

  secret-scan:
    name: Secret scan (gitleaks)
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout (full history)
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

      - name: Install gitleaks
        env:
          GITLEAKS_VERSION: "8.30.1"
        run: |
          # Checksum kept in the shell run block (not as a YAML env var) to avoid
          # SonarCloud flagging hex strings in env: sections as Security Hotspots.
          gitleaks_checksum="551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb"
          tarball="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
          url="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/${tarball}"
          install_dir="${RUNNER_TEMP}/gitleaks-bin"
          mkdir -p "${install_dir}"
          wget -q "${url}" -O /tmp/gitleaks.tar.gz
          echo "${gitleaks_checksum}  /tmp/gitleaks.tar.gz" | sha256sum -c
          tar -xzf /tmp/gitleaks.tar.gz -C "${install_dir}" gitleaks
          chmod +x "${install_dir}/gitleaks"
          echo "${install_dir}" >> "${GITHUB_PATH}"

      - name: Run gitleaks
        run: gitleaks detect --source . --config .gitleaks.toml --redact --verbose --exit-code 1

Note: Main's approach is preferred because it was merged later (2026-05-13 vs 2026-05-12), does not require a GITLEAKS_LICENSE secret, and uses the .gitleaks.toml config file that main added alongside it.

@don-petry don-petry force-pushed the claude/issue-256-20260512-1812 branch from 700a802 to a2494fe Compare May 16, 2026 13:13
@donpetry-bot

donpetry-bot commented May 17, 2026

Copy link
Copy Markdown
Contributor
Superseded by automated re-review at 9cf20812b35f89005dca9e06d405169b5b99a755 — click to expand prior review.

Review — fix requested (cycle 2/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

  1. Resolve all unresolved review thread comments from other reviewers
  2. Ensure all CI checks pass after your changes
  3. Rebase on the target branch if behind
  4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

@donpetry-bot

Copy link
Copy Markdown
Contributor

Review — fix requested (cycle 3/3)

The automated review identified the following issues. Please address each one:

Findings to fix

Automated review — NEEDS HUMAN REVIEW

Risk: MEDIUM
Reviewed commit: 9cf20812b35f89005dca9e06d405169b5b99a755
Cascade: triage → deep (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7)

Summary

This PR correctly addresses several 2026-05-12 compliance findings (action pinning in dependency-audit.yml, false-positive exemptions in compliance-audit.sh), but the ci.yml change is a regression: it replaces the more secure gitleaks binary-install approach (SHA-checksum verified, no license needed) that main already has (merged via PR #277) with the older gitleaks-action approach that requires a new GITLEAKS_LICENSE secret and adds security-events:write permission. The REVIEW_REQUIRED gate (org-leads) is unmet, and two prior automated review cycles emitted placeholder text instead of real findings, leaving the author without actionable feedback.

Findings

  • MAJOR: .github/workflows/ci.yml ci.yml reverts the gitleaks secret-scan job from main's superior implementation (direct binary download with SHA-256 checksum verification, no license required, uses .gitleaks.toml config) back to the gitleaks-action approach that requires a GITLEAKS_LICENSE secret and adds security-events:write. PR fix(ci): secret-scan job + dtolnay SHA pin (.github repo — compliance #276) #277 already merged the better approach to main on 2026-05-13 — this PR's merge conflict was never properly resolved; instead multiple merge-into-branch commits were applied, leaving the old implementation in place.
  • MAJOR: .github/workflows/ci.yml The gitleaks-action approach introduces a required GITLEAKS_LICENSE secret that main's implementation does not need. There is no evidence in this PR or the linked issue that this secret is provisioned in the org/repo. If absent, the secret-scan job will fail silently or with an unhelpful error, removing the security gate entirely.
  • MINOR: .github/workflows/ci.yml The secret-scan job gains security-events:write permission (for SARIF upload to the GitHub Security tab). Main's implementation uses only contents:read. This is a legitimate permission for SARIF upload but represents an unnecessary privilege expansion since main's gitleaks approach runs without it.
  • MINOR: .github/workflows/ci.yml The new gitleaks run command (via gitleaks-action args) omits --config .gitleaks.toml, while main's implementation explicitly passes it. Any custom gitleaks exclusions or rule overrides defined in .gitleaks.toml will be silently bypassed, potentially producing different scan results than intended.
  • MINOR: scripts/compliance-audit.sh:219 Gemini Code Assist flagged that the new exemption pattern in compliance-audit.sh (grep -vE 'petry-projects/\.github/\.github/workflows/') is not anchored to the uses: key. If a comment on a non-exempt unpinned uses: line contains the string 'petry-projects/.github/.github/workflows/', that line would be incorrectly excluded from the pinning audit, producing a false negative.
  • INFO: The PR has reviewDecision=REVIEW_REQUIRED from @petry-projects/org-leads. No human approval has been recorded. The PR cannot merge in its current state.
  • INFO: Both prior automated review cycles (cycle 1/3 and cycle 2/3) posted '[Findings would be inserted here]' placeholder text instead of real findings. The author was never given actionable feedback from the automated review, which explains why no fixes were pushed between review cycles.
  • INFO: All CI checks are green: Lint, ShellCheck, SonarCloud (0 issues, 0 hotspots), CodeQL, Secret scan (gitleaks), Agent Security Scan, Dependency audit, and CodeRabbit all pass. The MERGEABLE state is MERGEABLE but mergeStateStatus is BLOCKED (awaiting required review).

Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review.

Additional tasks

  1. Resolve all unresolved review thread comments from other reviewers
  2. Ensure all CI checks pass after your changes
  3. Rebase on the target branch if behind
  4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

@donpetry-bot

Copy link
Copy Markdown
Contributor

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 104-117: The "Run gitleaks" GitHub Action step currently omits the
checked-in policy and adds extra secrets/permissions; update the step so it uses
the repo's .gitleaks.toml and does not introduce the action-only
license/permission: change the args passed in the "Run gitleaks" step to include
--config .gitleaks.toml (i.e., detect --source . --config .gitleaks.toml
--redact --verbose --exit-code 1), remove the GITLEAKS_LICENSE env and any added
permission like security-events: write, and if the main job previously ran the
gitleaks binary directly, revert to that implementation instead of switching to
the action-based approach to preserve the original behavior.

In `@scripts/compliance-audit.sh`:
- Line 222: The current exemption grep for
petry-projects/\.github/\.github/workflows/ can match comments and cause false
negatives; update the grep -vE used in the unpinned pipeline (variable unpinned)
so it only matches when that path appears inside the uses: value itself (i.e.
before any trailing comment). Replace the plain pattern with one anchored to the
uses: directive and to the value portion, e.g. require the line start/uses token
and match petry-projects/\.github/\.github/workflows/ before a possible comment
delimiter (use a regex like
^\s*-?\s*uses:\s+[^#]*petry-projects/\.github/\.github/workflows/ or similar) so
only true uses: values are exempted.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 723b7fe9-dede-4a60-a54d-129156cebf7c

📥 Commits

Reviewing files that changed from the base of the PR and between 891d17c and ed8ad7a.

📒 Files selected for processing (2)
  • .github/workflows/ci.yml
  • scripts/compliance-audit.sh

Comment thread .github/workflows/ci.yml
Comment on lines +104 to +117
security-events: write
steps:
- name: Checkout (full history)
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0

- name: Install gitleaks
env:
GITLEAKS_VERSION: "8.30.1"
run: |
# Checksum kept in the shell run block (not as a YAML env var) to avoid
# SonarCloud flagging hex strings in env: sections as Security Hotspots.
gitleaks_checksum="551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb"
tarball="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
url="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/${tarball}"
install_dir="${RUNNER_TEMP}/gitleaks-bin"
mkdir -p "${install_dir}"
wget -q "${url}" -O /tmp/gitleaks.tar.gz
echo "${gitleaks_checksum} /tmp/gitleaks.tar.gz" | sha256sum -c
tar -xzf /tmp/gitleaks.tar.gz -C "${install_dir}" gitleaks
chmod +x "${install_dir}/gitleaks"
echo "${install_dir}" >> "${GITHUB_PATH}"

- name: Run gitleaks
run: gitleaks detect --source . --config .gitleaks.toml --redact --verbose --exit-code 1
uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
with:
args: detect --source . --redact --verbose --exit-code 1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python - <<'PY'
from pathlib import Path
import subprocess
import re

def extract_job(text, job_name="secret-scan"):
    lines = text.splitlines()
    start = next(i for i, line in enumerate(lines) if re.match(rf'^  {job_name}:\s*$', line))
    end = len(lines)
    for i in range(start + 1, len(lines)):
        if re.match(r'^  [A-Za-z0-9_-]+:\s*$', lines[i]):
            end = i
            break
    return "\n".join(lines[start:end])

current = Path(".github/workflows/ci.yml").read_text()
main = subprocess.check_output(["git", "show", "origin/main:.github/workflows/ci.yml"], text=True)

print("=== PR branch ===")
print(extract_job(current))
print("\n=== origin/main ===")
print(extract_job(main))
PY

echo
echo "=== checked-in gitleaks config ==="
fd -a '^\.gitleaks\.toml$' .

Repository: petry-projects/.github

Length of output: 2314


Don't bypass the checked-in gitleaks policy.

The prior main job explicitly ran gitleaks detect --source . --config .gitleaks.toml --redact --verbose --exit-code 1; this action step only passes detect --source . --redact --verbose --exit-code 1, so the repo's checked-in .gitleaks.toml policy is no longer consulted. That also introduces a GITLEAKS_LICENSE secret dependency and security-events: write permission that the existing binary-based flow on main does not require. Keep the current main implementation here instead of switching to the action-based approach.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 104 - 117, The "Run gitleaks" GitHub
Action step currently omits the checked-in policy and adds extra
secrets/permissions; update the step so it uses the repo's .gitleaks.toml and
does not introduce the action-only license/permission: change the args passed in
the "Run gitleaks" step to include --config .gitleaks.toml (i.e., detect
--source . --config .gitleaks.toml --redact --verbose --exit-code 1), remove the
GITLEAKS_LICENSE env and any added permission like security-events: write, and
if the main job previously ran the gitleaks binary directly, revert to that
implementation instead of switching to the action-based approach to preserve the
original behavior.

Comment thread scripts/compliance-audit.sh Outdated
@don-petry

Copy link
Copy Markdown
Contributor Author

@dev-lead - please fix this PR

@sonarqubecloud

Copy link
Copy Markdown

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

This was referenced May 29, 2026
@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

@dev-lead please process and advance this PR — fix any failing CI, resolve outstanding review threads, and enable auto-merge once it's green and approvable.

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry don-petry closed this Jun 8, 2026
@don-petry don-petry force-pushed the claude/issue-256-20260512-1812 branch from ba61bd7 to 62516a7 Compare June 8, 2026 22:30
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — rebase (no-changes)

Agent reasoning
PR: #257
Rebased onto: main
Conflicts resolved: 3 files
- .github/workflows/ci.yml (commit 1): kept HEAD — gitleaks v3.0.0 with GITLEAKS_LICENSE already present
- scripts/compliance-audit.sh (commit 1): kept HEAD — broader petry-projects/.github exemption already present
- .github/workflows/ci.yml (commit 2): kept HEAD — GITLEAKS_LICENSE already in main
Push: success
```
**Note:** Both PR commits (`866d34d` and `a2494fe`) resolved to no-ops — their changes were already present in main (incorporated via `62516a7`). After the rebase the branch is now at the same commit as `origin/main`. The PR will show an empty diff; it can safely be closed as superseded by the work already merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance audit — 2026-05-12

3 participants