Skip to content

feat(add-to-project): reusable workflow + reconcile parity (#415)#466

Merged
don-petry merged 4 commits into
mainfrom
claude/github-report-rollout-f3kuv9
Jun 15, 2026
Merged

feat(add-to-project): reusable workflow + reconcile parity (#415)#466
don-petry merged 4 commits into
mainfrom
claude/github-report-rollout-f3kuv9

Conversation

@don-petry

@don-petry don-petry commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Implements the multi-repo follow-on (#415) to the Initiatives Project pilot (#387), per the architecture decided in #415: reusable workflow + thin per-repo caller stubs pinned to the add-to-project/stable channel — not a webhook handler.

Note: Per the recorded decision, execution of the multi-repo rollout is gated on the 2026-07-07 30-day review (#414). This PR is the shovel-ready implementation so "expand" is a merge-and-pin away if the review says go. It does not itself roll the workflow out to other repos (that's adopting the template, one PR per repo).

What changed

§1 Multi-repo deployment — reusable + thin callers

  • New add-to-project-reusable.yml holds both jobs (issue/PR reconcile, discussion reconcile). Inputs: project_id, project_url, required_label, excluded_labels, ideas_category, agent_ref. Secrets: INITIATIVES_APP_ID / INITIATIVES_APP_PRIVATE_KEY.
  • add-to-project.yml is now the self-host thin caller (local ./ ref, Ring 0 dogfood; passes agent_ref: ${{ github.sha }} so scripts match the exact commit).
  • New standards/workflows/add-to-project.yml is the adoptable template, pinning both the reusable ref and agent_ref to add-to-project/stable per ci-standards.md → Reusable workflow versioning. Scripts are checked out via path: from petry-projects/.github@agent_ref, mirroring the proven feature-ideation-reusable.yml pattern.

§3 Hard-coded labels/category → env-driven

  • evaluate_noise_gate reads REQUIRED_LABEL + EXCLUDED_LABELS; reconcile_discussion reads IDEAS_CATEGORY. Defaults preserve current behavior (dev-lead; the four excluded labels; Ideas).

§2 Reconcile, not just add

  • New shared lib.sh with a single paginated find_project_item (predicate: title-prefix | content-id) plus the add/draft/delete mutations and env guard — the "designed once" mechanism Initiatives Project: multi-repo rollout + reconciliation parity #415 called for. Both scripts source it; the discussion script keeps its public function names as thin wrappers.
  • Issues/PRs that stop qualifying (dev-lead removed, or an excluded label added) are now removed from the board. The caller subscribes to unlabeled for issues and PRs.

§4 Fork-PR gate

  • The issue/PR job now runs for same-repo PRs (head.repo.fork == false) or trusted authors (OWNER/MEMBER/COLLABORATOR). External-fork PRs by untrusted authors are still skipped — an if: can't safely evaluate the labeler; this residual case is documented and left for a non-if: follow-up (Initiatives Project: multi-repo rollout + reconciliation parity #415 §4).

Tests / validation

  • test/workflows/add-to-project bats suite: 35 → 42 (remove path, env-driven gate, env-driven category, multi-match/pagination preserved). All green locally.
  • shellcheck -S warning and shellcheck -x clean; yamllint (max 200) clean; actionlint clean on all workflows; markdownlint-cli2 clean on CONTRIBUTING.md.
  • CONTRIBUTING.md updated: adoption-in-another-repo section, reconcile-on-unqualify behavior, revised fork-PR note.

Prerequisites for the rollout (not code)

  • The petry-projects-planner app installation must include each adopting repo.
  • Cut add-to-project/vX.Y.Z and move the add-to-project/stable channel before any external repo adopts the template (the template pins to that channel).

Related

https://claude.ai/code/session_01SS98x3hHsfPRJfGLgJMFom


Generated by Claude Code

Summary by CodeRabbit

  • New Features

    • Items now automatically remove from the Initiatives project when they no longer meet eligibility criteria (previously only added).
    • Auto-add-to-project workflow is now reusable across projects with configurable eligibility rules.
  • Documentation

    • Updated contributing guide to clarify automatic project reconciliation behavior and exceptions.

)

Implements the multi-repo follow-on from the Initiatives Project pilot.
Architecture decided in #415: reusable workflow + thin per-repo caller
stubs pinned to the `add-to-project/stable` channel (not a webhook handler).

§1 Multi-repo deployment
- New `add-to-project-reusable.yml` holds all jobs; inputs for project_id,
  project_url, required_label, excluded_labels, ideas_category, agent_ref.
- `add-to-project.yml` becomes the self-host thin caller (local ref, Ring 0
  dogfood; passes agent_ref=${{ github.sha }}).
- `standards/workflows/add-to-project.yml` is the adoptable template, pinned
  to add-to-project/stable for both the reusable ref and agent_ref.

§3 Hard-coded labels/category → env-driven
- evaluate_noise_gate reads REQUIRED_LABEL / EXCLUDED_LABELS; reconcile_
  discussion reads IDEAS_CATEGORY. Defaults preserve current behavior.

§2 Reconcile, not just add
- Shared lib.sh with a single paginated find_project_item (title-prefix |
  content-id), plus add/draft/delete helpers — the "designed once"
  mechanism. Issues/PRs that stop qualifying (dev-lead removed or excluded
  label added) are now removed; workflow subscribes to `unlabeled`.

§4 Fork-PR gate
- add-issue-or-pr job runs for same-repo PRs (head.repo.fork == false) or
  trusted authors. External-fork PRs by untrusted authors remain skipped
  (documented; needs a non-`if:` solution) — see #415 §4.

Tests: add-to-project bats suite 35 → 42 (remove path, env-driven config,
env-driven category). shellcheck/yamllint/actionlint clean. CONTRIBUTING
updated with adoption + reconcile docs.
@don-petry don-petry requested a review from a team as a code owner June 15, 2026 00:12
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 minutes and 11 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 775a46fb-2e6f-48dc-80cd-cf72c356f775

📥 Commits

Reviewing files that changed from the base of the PR and between 2e31c45 and df40c1c.

📒 Files selected for processing (7)
  • .github/scripts/add-to-project/add-issue-or-pr.sh
  • .github/scripts/add-to-project/lib.sh
  • .github/workflows/add-to-project-reusable.yml
  • .github/workflows/add-to-project.yml
  • standards/workflows/add-to-project.yml
  • test/workflows/add-to-project/add-issue-or-pr.bats
  • test/workflows/add-to-project/reconcile-discussion.bats
📝 Walkthrough

Walkthrough

Introduces lib.sh as a shared Bash library with paginated GraphQL helpers for finding, adding, and deleting ProjectV2 items. add-issue-or-pr.sh is refactored to reconcile (add or remove) items using an env-driven noise gate. reconcile-discussion.sh delegates to lib.sh and gains a configurable IDEAS_CATEGORY. A new reusable workflow add-to-project-reusable.yml is introduced, and add-to-project.yml becomes a thin caller stub. A standards template and updated docs complete the change.

Changes

Reconcile-based add-to-project refactor

Layer / File(s) Summary
Shared lib.sh: env guard and GraphQL project-item helpers
.github/scripts/add-to-project/lib.sh
New shared library providing _atp_require_env, cursor-paginated find_project_item (title-prefix and content-id modes), add_content_to_project, add_draft_item, and delete_project_item with idempotent "already gone" handling.
add-issue-or-pr.sh: env-driven noise gate and reconcile logic
.github/scripts/add-to-project/add-issue-or-pr.sh
Sources lib.sh; evaluate_noise_gate reads REQUIRED_LABEL/EXCLUDED_LABELS env vars; find_content_item_id wraps find_project_item; reconcile_content_with_project replaces the add-only flow with a gate-status switch (add / find-then-delete / error).
reconcile-discussion.sh: delegate to lib.sh and IDEAS_CATEGORY env
.github/scripts/add-to-project/reconcile-discussion.sh
Sources lib.sh; find_existing_draft_id and add_discussion_draft become thin wrappers; reconcile_discussion uses IDEAS_CATEGORY (default "Ideas") for category matching and draft body construction.
New reusable workflow
.github/workflows/add-to-project-reusable.yml
Introduces workflow_call interface with project_id, required_label, excluded_labels, ideas_category, agent_ref inputs and INITIATIVES_APP_ID/INITIATIVES_APP_PRIVATE_KEY secrets; defines add-issue-or-pr (with fork/trusted-author gate and App token minting) and reconcile-discussion jobs.
Caller workflow refactor and tests CI trigger update
.github/workflows/add-to-project.yml, .github/workflows/add-to-project-tests.yml
add-to-project.yml becomes a single-job thin stub calling the reusable workflow; adds unlabeled to issues trigger; removes prior multi-job implementation. Tests CI gains path triggers for add-to-project-reusable.yml.
Standards workflow template and docs
standards/workflows/add-to-project.yml, CONTRIBUTING.md
Adds a copy-paste caller stub template pinned to add-to-project/stable. CONTRIBUTING.md rewrites the Initiatives board section to describe reconciliation behavior, updated fork-PR gating language, and a specific workaround reference.
Bats test coverage for reconcile, env gate, and IDEAS_CATEGORY
test/workflows/add-to-project/add-issue-or-pr.bats, test/workflows/add-to-project/reconcile-discussion.bats
New test helpers for paginated board stubs and invocation assertions; reconcile_content_with_project arg-validation, noise-gate skip, happy-path add, remove-path find-then-delete, malformed-payload robustness, and env-driven gate override tests added; IDEAS_CATEGORY override tests added to discussion suite.

Sequence Diagram(s)

sequenceDiagram
  participant GH as GitHub Event
  participant Workflow as add-to-project-reusable.yml
  participant Script as add-issue-or-pr.sh
  participant lib as lib.sh
  participant API as GitHub GraphQL API

  GH->>Workflow: issues/pull_request_target event
  Workflow->>Workflow: fork/trusted-author gate check
  Workflow->>Script: invoke with CONTENT_NODE_ID, LABELS_JSON, REQUIRED_LABEL, EXCLUDED_LABELS
  Script->>Script: evaluate_noise_gate(labels_json)
  alt qualifies (status 0)
    Script->>lib: add_content_to_project(content_node_id)
    lib->>API: addProjectV2ItemById mutation
    API-->>lib: item added
  else no longer qualifies (status 1)
    Script->>lib: find_content_item_id(content_node_id)
    lib->>API: projectV2 items query (paginated)
    API-->>lib: item_id or not found
    lib-->>Script: item_id
    Script->>lib: delete_project_item(item_id)
    lib->>API: deleteProjectV2Item mutation
    API-->>lib: deleted or "not found" (treated as success)
  end
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

Possibly related PRs

  • petry-projects/.github#388: Directly builds on the same add-to-project automation, refactoring the workflow into a reusable caller and extending the label-gate and discussion-category logic from add-only to full reconciliation.

Suggested labels

needs-human-review

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 29.41% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'feat(add-to-project): reusable workflow + reconcile parity' directly reflects the main changes: introducing a reusable workflow pattern and adding reconciliation capability (remove items when they no longer qualify).
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/github-report-rollout-f3kuv9

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — waiting on PR blockers (intent: review-changes)

PR: #466
No changes were committed, but the PR still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews). The retry cron will re-attempt automatically. Next attempt after: 2026-06-15T00:43:51Z

@don-petry

Copy link
Copy Markdown
Contributor Author

Note

@don-petry I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically.
Next attempt after: 2026-06-15T00:43:51Z

@don-petry don-petry enabled auto-merge (squash) June 15, 2026 00:13
@don-petry don-petry disabled auto-merge June 15, 2026 00:14
SonarCloud githubactions:S7635 — replace `secrets: inherit` with explicit
INITIATIVES_APP_ID / INITIATIVES_APP_PRIVATE_KEY in the self-host caller and
the adoptable template (least privilege; the reusable declares exactly those
two).

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the project board automation by extracting shared GraphQL operations and helper functions into a new lib.sh library, which is now utilized by both add-issue-or-pr.sh and reconcile-discussion.sh. It also introduces reconciliation logic to automatically remove items from the board when they no longer qualify, adds support for environment-driven configuration overrides, and includes comprehensive BATS tests. The review feedback suggests simplifying the case statement and optimizing the GraphQL response parsing in lib.sh to avoid multiple subshells, using the ${EXCLUDED_LABELS-...} parameter expansion to allow empty exclusions, and adding a macOS fallback for sha256sum in the test suite to improve local test portability.

Comment thread .github/scripts/add-to-project/lib.sh Outdated
Comment thread .github/scripts/add-to-project/lib.sh Outdated
Comment thread .github/scripts/add-to-project/add-issue-or-pr.sh Outdated
Comment thread test/workflows/add-to-project/add-issue-or-pr.bats Outdated
- evaluate_noise_gate: use ${EXCLUDED_LABELS-default} (no colon) so an
  explicitly empty value disables exclusions; jq -Rs handles empty input.
- find_project_item: pass the match predicate to jq as $kind (fully static
  filter, no shell interpolation) and read the parsed fields with a single
  while-read loop instead of four awk subshells.
- Add a test for empty EXCLUDED_LABELS disabling exclusions.
@don-petry don-petry enabled auto-merge (squash) June 15, 2026 00:19
@don-petry don-petry disabled auto-merge June 15, 2026 00:20

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/add-to-project-reusable.yml:
- Around line 95-101: Add the security hardening parameter persist-credentials:
false to both checkout steps in the workflow file. In
.github/workflows/add-to-project-reusable.yml at lines 95-101, add
persist-credentials: false to the Checkout add-to-project scripts step. In
.github/workflows/add-to-project-reusable.yml at lines 131-137, add
persist-credentials: false to the second checkout step as well. This prevents
credential persistence across the workflow execution, reducing the risk of
accidental credential exposure if the workflow is extended with additional
operations later.
- Line 96: The inline version comment for the actions/checkout action is
incorrect. The pinned SHA df4cb1c069e1874edd31b4311f1884172cec0e10 corresponds
to version v6, not v5.0.0 as currently stated in the comment. Update the version
comment from v5.0.0 to v6 on the line containing the actions/checkout action to
accurately reflect the actual version of the pinned SHA.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ccfe15c2-a825-4c6c-b0e5-0f03a7474c6b

📥 Commits

Reviewing files that changed from the base of the PR and between ce8a8c3 and 2e31c45.

📒 Files selected for processing (10)
  • .github/scripts/add-to-project/add-issue-or-pr.sh
  • .github/scripts/add-to-project/lib.sh
  • .github/scripts/add-to-project/reconcile-discussion.sh
  • .github/workflows/add-to-project-reusable.yml
  • .github/workflows/add-to-project-tests.yml
  • .github/workflows/add-to-project.yml
  • CONTRIBUTING.md
  • standards/workflows/add-to-project.yml
  • test/workflows/add-to-project/add-issue-or-pr.bats
  • test/workflows/add-to-project/reconcile-discussion.bats

Comment thread .github/workflows/add-to-project-reusable.yml
Comment thread .github/workflows/add-to-project-reusable.yml Outdated
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jun 15, 2026
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (applied)

Changes committed and pushed.

@sonarqubecloud

Copy link
Copy Markdown

@don-petry don-petry disabled auto-merge June 15, 2026 00:26
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@don-petry don-petry enabled auto-merge (squash) June 15, 2026 00:28

Copy link
Copy Markdown
Contributor Author

Code review

Overview. Refactors the Initiatives-project automation from a single-repo, add-only workflow into a reusable workflow + thin caller stubs, and upgrades the scripts from "add" to full "reconcile" (add when qualifying, remove when not). Implements #415 §1–4.

Strengths

  • Matches org patterns: thin caller + reusable mirrors auto-rebase/feature-ideation; @add-to-project/stable channel pin per ci-standards; top-level permissions: {} with least-privilege job grants; App-token minting via pinned create-github-app-token.
  • find_project_item (predicate title-prefix|content-id) cleanly unifies the two lookups; static jq filter via $kind avoids shell interpolation.
  • Error taxonomy preserved (64 arg / 65 payload / 75 null-node / 1 clean-skip), idempotent delete, pagination cursor handling — all retained and tested.

Suggestions (non-blocking)

  • Perf at multi-repo scale — wasteful scan on opened. The remove path runs a full paginated find_content_item_id on every non-qualifying issue/PR event, including opened. A brand-new item can't already be on the board, so for action == 'opened' the scan is pure overhead (and the common case is "non-dev-lead issue opened"). Consider short-circuiting the remove path on opened. Negligible for the single-repo pilot; worth it once N repos fan in.
  • Test gap. Tests cover find returning 75 (data.node:null) directly, but not that reconcile_content_with_project propagates that 75 on the remove path (it does, via set -e on the command substitution). One test would lock the contract.
  • Cosmetic. add_content_to_project logs "Adding…" even when the item is already present (idempotent re-add).

Rollout prerequisite (already documented)

The template pins @add-to-project/stable, which doesn't exist yet. The release step (cut add-to-project/vX.Y.Z, move stable) must precede any adopting-repo PR, else those callers fail at startup. Correctly gated to the post-2026-07-07 review (#414).

Security — looks right

  • pull_request_target job gated to same-repo (head.repo.fork == false) or trusted authors; residual external-fork+maintainer-label case documented (Initiatives Project: multi-repo rollout + reconciliation parity #415 §4).
  • Scripts checked out from petry-projects/.github@agent_ref (base/SHA-pinned), not PR head — untrusted PR code never runs with the App secret.
  • persist-credentials: false; explicit (non-inherit) secret passing; SonarCloud hotspot cleared.

Tests

43 bats covering add/remove/skip, env-driven gate + category, malformed payloads, pagination cursor, multi-match, null-node, draft↔issue. shellcheck (-S warning and -x), yamllint, actionlint, markdownlint all clean.

Verdict: approve-quality. Correct, well-tested, faithful to org standards. The only thing worth acting on before heavy multi-repo fan-out is the opened-event scan optimization; the rest is polish or already-documented rollout sequencing.


Generated by Claude Code

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: MEDIUM
Reviewed commit: df40c1caf63549e82c7813b56e617e618341fbe0
Review mode: triage-approved (single reviewer)

Summary

Refactors the auto-add-to-Initiatives-project automation into a reusable workflow + thin per-repo caller stubs (#415 §1), extracts a shared lib.sh with a paginated find_project_item helper, makes the noise-gate labels/category env-driven (§3), adds reconcile-on-unqualify (remove items that stop qualifying, §2), and tightens the fork-PR gate (§4). Confirmation review for triage-approved: the security-sensitive pull_request_target + secrets pattern is implemented correctly.

Linked issue analysis

No closingIssuesReferences (intentional — the PR notes execution of the multi-repo rollout is gated on the 2026-07-07 review #414; this is the shovel-ready implementation, not the rollout). It substantively addresses the four sub-items of the architecture decision #415: §1 reusable+thin-caller, §2 reconcile/remove, §3 env-driven config, §4 fork-PR gate. The deferred residual (maintainer-labeled PR from an untrusted external fork) is explicitly documented and fails closed.

Findings

Security (pull_request_target + secrets) — handled correctly:

  • The reusable does not check out untrusted PR head code: actions/checkout uses ref: ${{ inputs.agent_ref }} (self-host passes github.sha; template pins add-to-project/stable), with persist-credentials: false.
  • Fork-PR gate fails closed: the issue/PR job runs only for github.event_name == 'issues', same-repo PRs (head.repo.fork == false), or trusted authors (OWNER/MEMBER/COLLABORATOR). External-fork PRs by untrusted authors are skipped.
  • No shell/GraphQL injection: PR & discussion titles, labels, node IDs, URLs are passed via env: and supplied to gh api graphql as -F/--arg variables — never interpolated into run: scripts or query bodies.
  • Least privilege: top-level permissions: {}, job-level contents: read; project mutations use a short-lived App installation token (not GITHUB_TOKEN). Secrets are passed explicitly to the reusable rather than via secrets: inherit — an improvement over a blanket inherit.
  • Actions are SHA-pinned (checkout, create-github-app-token).

Correctness:

  • add-issue-or-pr.sh: qualifying → idempotent addProjectV2ItemById (no find-first, relies on documented idempotency); non-qualifying → find by content-id and delete if present. Matches the new bats cases.
  • lib.sh find_project_item paginates and fails loudly (exit 75) on data.node == null rather than risking duplicate adds; multi-match emits a warning and proceeds with the first. The ${line#prefix=} parsing preserves = in base64 cursors.
  • EXCLUDED_LABELS uses ${VAR-default} (no colon) so an explicitly empty value opts out of all exclusions while unset keeps defaults — covered by a dedicated test.
  • Trigger now includes unlabeled (issues + PRs) so the remove path actually fires; concurrency group preserved.

Maintainability — minor (non-blocking):

  • The new add-to-project-reusable.yml and standards/workflows/add-to-project.yml pin actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 with comment # v6, but the pre-existing caller commented the same SHA as # v5.0.0. One comment is stale — reconcile so the pin comment is accurate (the SHA itself is what's enforced; actionlint is green).

CI status

All required checks green: Agent Security Scan, CodeQL/Analyze (actions), agent-shield/AgentShield, Secret scan (gitleaks), ShellCheck, Shellcheck and bats, SonarCloud, Lint, Detect ecosystems, pr-auto-review, dev-lead/dispatch — all SUCCESS. Language audits (cargo/npm/pip/pnpm/go) SKIPPED (not applicable). mergeStateStatus is BLOCKED only because reviewDecision is REVIEW_REQUIRED (this review).


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

@don-petry don-petry merged commit 151347e into main Jun 15, 2026
24 checks passed
@don-petry don-petry deleted the claude/github-report-rollout-f3kuv9 branch June 15, 2026 11:30
don-petry added a commit that referenced this pull request Jun 18, 2026
Adds add-to-project.yml to DEPLOYABLE_WORKFLOWS plus a narrow SKIP_OVERRIDES so .github-private receives only this stub. Reusable publishes add-to-project/stable (v1.0.0 @ 151347e). No compliance impact. Owner-authorized ahead of the 2026-07-07 gate. Refs #415, #414, #466.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants