fix(compliance): address 2026-05-12 audit findings for .github repo#257
fix(compliance): address 2026-05-12 audit findings for .github repo#257don-petry wants to merge 0 commit into
Conversation
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis PR replaces the manual gitleaks execution in the secret-scan CI job with the official pinned ChangesSecret Scanning and Compliance Audit
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request updates the scripts/compliance-audit.sh script to exempt internal reusable workflows from SHA-pinning requirements. The review feedback suggests anchoring the exclusion pattern to the 'uses:' key to prevent false negatives that could occur if the exclusion string appears within a comment on an unpinned line.
| # deliberate @v1/@main tags and are exempt per ci-standards.md#action-pinning-policy. | ||
| local unpinned | ||
| unpinned=$(echo "$decoded" | grep -E '^\s*-?\s*uses:\s+[^#]*@' | grep -vE '@[0-9a-f]{40}' | grep -vE '(docker://|\.\/)' || true) | ||
| unpinned=$(echo "$decoded" | grep -E '^\s*-?\s*uses:\s+[^#]*@' | grep -vE '@[0-9a-f]{40}' | grep -vE '(docker://|\.\/)' | grep -vE 'petry-projects/\.github/\.github/workflows/' || true) |
There was a problem hiding this comment.
The exclusion pattern for internal reusable workflows is not anchored to the uses: value. If this string appears in a comment on an unpinned action line (e.g., uses: actions/checkout@v4 # internal ref: petry-projects/.github/.github/workflows/), the line will be incorrectly excluded from the audit findings, leading to a false negative. It is safer to ensure the pattern follows the uses: key to accurately target the action path.
| unpinned=$(echo "$decoded" | grep -E '^\s*-?\s*uses:\s+[^#]*@' | grep -vE '@[0-9a-f]{40}' | grep -vE '(docker://|\.\/)' | grep -vE 'petry-projects/\.github/\.github/workflows/' || true) | |
| unpinned=$(echo "$decoded" | grep -E '^\s*-?\s*uses:\s+[^#]*@' | grep -vE '@[0-9a-f]{40}' | grep -vE 'uses:\s+(docker://|\.\/|petry-projects/\.github/\.github/workflows/)' || true) |
|
@petry-projects/org-leads — CI is green (all checks passing/skipped except CodeQL which is still running). This PR addresses the following
Remaining items that require an admin PAT: |
There was a problem hiding this comment.
Pull request overview
This PR addresses the 2026-05-12 compliance audit findings for the .github repo by tightening action pinning, fixing a workflow pinning finding, and adding the required CI secret-scanning job.
Changes:
- Add a
secret-scanCI job usinggitleakswith full git history checkout. - Pin
dtolnay/rust-toolchain@stableto a commit SHA independency-audit.yml. - Update
scripts/compliance-audit.shto exempt internalpetry-projects/.githubreusable workflow refs from SHA-pinning findings (per documented policy).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
scripts/compliance-audit.sh |
Exempts internal .github reusable workflow references from the SHA-pinning audit check. |
.github/workflows/dependency-audit.yml |
Pins dtolnay/rust-toolchain to a commit SHA to satisfy action-pinning enforcement. |
.github/workflows/ci.yml |
Adds a secret-scan job using gitleaks with fetch-depth: 0 to satisfy secret-scan CI requirements. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Run gitleaks | ||
| uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 | ||
| with: | ||
| args: detect --source . --redact --verbose --exit-code 1 | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
|
Auto-rebase blocked — the base branch contains Please rebase this branch manually: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
Superseded by automated re-review at
|
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — could not complete automatically Two issues prevented automated resolution: Issue 1: Git commands blocked (allowedTools bug)The Fix needed in Issue 2: Application-code conflict in
|
Auto-rebase: Manual Resolution RequiredThe auto-rebase workflow cannot automatically resolve the conflicts on this PR. The conflicts involve structural changes to workflow YAML files — not simple SHA/version pin updates — which require human judgment. What's ConflictingThe PR's unique commits (fixing 2026-05-12 compliance findings) modified these files:
The base branch ( Manual Resolution Stepsgit fetch origin
git checkout claude/issue-256-20260512-1812
git rebase origin/main
# Resolve conflicts in the files listed above
# For ci.yml: reconcile the secret-scan job approach (binary install vs. action)
# For claude-code-reusable.yml: reconcile the bot trigger logic
git add .github/workflows/ci.yml
git add .github/workflows/claude-code-reusable.yml
git add scripts/compliance-audit.sh
git add standards/ci-standards.md
git rebase --continue
git push --force-with-leaseAdditional Notes
/cc @petry-projects/org-leads |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Auto-Rebase: Failed — Permission ErrorThe automated rebase agent was unable to complete the rebase for this PR because the required git operations ( What needs to happen manuallygit fetch origin
git checkout claude/issue-256-20260512-1812
git rebase origin/main
# If conflicts arise in .github/workflows/*.yml (action pin conflicts):
# - Compare pinned SHAs/tags on both sides
# - Keep the side with the newer version
# - git add <resolved-file>
# - git rebase --continue
# If conflicts arise in any other file:
# - Resolve manually based on intent of both changes
# - git add <resolved-file>
# - git rebase --continue
git push --force-with-leaseFiles that differ between this branch and
|
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Auto-rebase: conflict could not be resolved automaticallyThe auto-rebase agent attempted to rebase Conflict detailsFile: Both this PR and main independently added a
This is not a simple action-pin version conflict — the entire job structure differs. A human must decide which implementation to keep (most likely main's direct-download approach, since it was merged later and avoids a license dependency). Manual resolution stepsgit fetch origin
git checkout claude/issue-256-20260512-1812
git rebase origin/main
# Git will stop at the conflict in .github/workflows/ci.yml
# Edit the file to resolve the secret-scan job conflict
# Recommended: keep main's direct-download implementation
git add .github/workflows/ci.yml
git rebase --continue
git push --force-with-leaseRecommended resolution for
|
700a802 to
a2494fe
Compare
Superseded by automated re-review at
|
Review — fix requested (cycle 3/3)The automated review identified the following issues. Please address each one: Findings to fixAutomated review — NEEDS HUMAN REVIEWRisk: MEDIUM SummaryThis PR correctly addresses several 2026-05-12 compliance findings (action pinning in dependency-audit.yml, false-positive exemptions in compliance-audit.sh), but the ci.yml change is a regression: it replaces the more secure gitleaks binary-install approach (SHA-checksum verified, no license needed) that main already has (merged via PR #277) with the older gitleaks-action approach that requires a new GITLEAKS_LICENSE secret and adds security-events:write permission. The REVIEW_REQUIRED gate (org-leads) is unmet, and two prior automated review cycles emitted placeholder text instead of real findings, leaving the author without actionable feedback. Findings
Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review. Additional tasks
The review cascade will automatically re-review after new commits are pushed. |
Automated review — human attention neededThis PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops. Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the Posted by the donpetry-bot PR-review cascade. |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 104-117: The "Run gitleaks" GitHub Action step currently omits the
checked-in policy and adds extra secrets/permissions; update the step so it uses
the repo's .gitleaks.toml and does not introduce the action-only
license/permission: change the args passed in the "Run gitleaks" step to include
--config .gitleaks.toml (i.e., detect --source . --config .gitleaks.toml
--redact --verbose --exit-code 1), remove the GITLEAKS_LICENSE env and any added
permission like security-events: write, and if the main job previously ran the
gitleaks binary directly, revert to that implementation instead of switching to
the action-based approach to preserve the original behavior.
In `@scripts/compliance-audit.sh`:
- Line 222: The current exemption grep for
petry-projects/\.github/\.github/workflows/ can match comments and cause false
negatives; update the grep -vE used in the unpinned pipeline (variable unpinned)
so it only matches when that path appears inside the uses: value itself (i.e.
before any trailing comment). Replace the plain pattern with one anchored to the
uses: directive and to the value portion, e.g. require the line start/uses token
and match petry-projects/\.github/\.github/workflows/ before a possible comment
delimiter (use a regex like
^\s*-?\s*uses:\s+[^#]*petry-projects/\.github/\.github/workflows/ or similar) so
only true uses: values are exempted.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 723b7fe9-dede-4a60-a54d-129156cebf7c
📒 Files selected for processing (2)
.github/workflows/ci.ymlscripts/compliance-audit.sh
| security-events: write | ||
| steps: | ||
| - name: Checkout (full history) | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Install gitleaks | ||
| env: | ||
| GITLEAKS_VERSION: "8.30.1" | ||
| run: | | ||
| # Checksum kept in the shell run block (not as a YAML env var) to avoid | ||
| # SonarCloud flagging hex strings in env: sections as Security Hotspots. | ||
| gitleaks_checksum="551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb" | ||
| tarball="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | ||
| url="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/${tarball}" | ||
| install_dir="${RUNNER_TEMP}/gitleaks-bin" | ||
| mkdir -p "${install_dir}" | ||
| wget -q "${url}" -O /tmp/gitleaks.tar.gz | ||
| echo "${gitleaks_checksum} /tmp/gitleaks.tar.gz" | sha256sum -c | ||
| tar -xzf /tmp/gitleaks.tar.gz -C "${install_dir}" gitleaks | ||
| chmod +x "${install_dir}/gitleaks" | ||
| echo "${install_dir}" >> "${GITHUB_PATH}" | ||
|
|
||
| - name: Run gitleaks | ||
| run: gitleaks detect --source . --config .gitleaks.toml --redact --verbose --exit-code 1 | ||
| uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 | ||
| with: | ||
| args: detect --source . --redact --verbose --exit-code 1 | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python - <<'PY'
from pathlib import Path
import subprocess
import re
def extract_job(text, job_name="secret-scan"):
lines = text.splitlines()
start = next(i for i, line in enumerate(lines) if re.match(rf'^ {job_name}:\s*$', line))
end = len(lines)
for i in range(start + 1, len(lines)):
if re.match(r'^ [A-Za-z0-9_-]+:\s*$', lines[i]):
end = i
break
return "\n".join(lines[start:end])
current = Path(".github/workflows/ci.yml").read_text()
main = subprocess.check_output(["git", "show", "origin/main:.github/workflows/ci.yml"], text=True)
print("=== PR branch ===")
print(extract_job(current))
print("\n=== origin/main ===")
print(extract_job(main))
PY
echo
echo "=== checked-in gitleaks config ==="
fd -a '^\.gitleaks\.toml$' .Repository: petry-projects/.github
Length of output: 2314
Don't bypass the checked-in gitleaks policy.
The prior main job explicitly ran gitleaks detect --source . --config .gitleaks.toml --redact --verbose --exit-code 1; this action step only passes detect --source . --redact --verbose --exit-code 1, so the repo's checked-in .gitleaks.toml policy is no longer consulted. That also introduces a GITLEAKS_LICENSE secret dependency and security-events: write permission that the existing binary-based flow on main does not require. Keep the current main implementation here instead of switching to the action-based approach.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml around lines 104 - 117, The "Run gitleaks" GitHub
Action step currently omits the checked-in policy and adds extra
secrets/permissions; update the step so it uses the repo's .gitleaks.toml and
does not introduce the action-only license/permission: change the args passed in
the "Run gitleaks" step to include --config .gitleaks.toml (i.e., detect
--source . --config .gitleaks.toml --redact --verbose --exit-code 1), remove the
GITLEAKS_LICENSE env and any added permission like security-events: write, and
if the main job previously ran the gitleaks binary directly, revert to that
implementation instead of switching to the action-based approach to preserve the
original behavior.
|
@dev-lead - please fix this PR |
|
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
@dev-lead please process and advance this PR — fix any failing CI, resolve outstanding review threads, and enable auto-merge once it's green and approvable. |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
ba61bd7 to
62516a7
Compare
Dev-Lead — rebase (no-changes)Agent reasoning |



Summary
Addresses compliance audit findings for the
.githubrepo from the 2026-05-12 audit (issue #256).Changes
ci.yml: Addsecret-scanjob runninggitleaksin full-history mode — resolvessecret_scan_ci_job_presenterrordependency-audit.yml: Pindtolnay/rust-toolchain@stableto commit SHA29eef336— resolvesunpinned-actions-dependency-audit.ymlerrorscripts/compliance-audit.sh: Exemptpetry-projects/.githubinternal reusable workflow refs from SHA-pinning check — resolves false-positive findings foragent-shield.yml,claude.yml,dependabot-automerge.yml(these use@v1/@maintags which are exempt perci-standards.md#action-pinning-policy)Settings Applied via API
dependabot_security_updates: enabled (was disabled)Remaining Items (require admin PAT via
apply-repo-settings.sh)These settings could not be changed with the current token (require classic PAT with
reposcope or org admin):secret_scanning_ai_detection: requires GHAS/org admin tokensecret_scanning_non_provider_patterns: requires GHAS/org admin tokencheck-suite-auto-trigger-1236702(Claude): requires classic PATcheck-suite-auto-trigger-347564(CodeRabbit): requires classic PATRun
GH_TOKEN=<admin-pat> bash scripts/apply-repo-settings.sh .githubto apply these.Stale Findings (already resolved on main)
allow_auto_merge: alreadytrue— stale findingdelete_branch_on_merge: alreadytrue— stale findingcodeowners-org-leads-not-first/codeowners-no-catchall: already correct (* @petry-projects/org-leads) — stale findingCloses #256
Generated with Claude Code
Summary by CodeRabbit
Release Notes