Skip to content

feat(audit): make centralized-stub check ring-aware (#870)#529

Merged
don-petry merged 2 commits into
mainfrom
feat/audit-ring-aware
Jun 25, 2026
Merged

feat(audit): make centralized-stub check ring-aware (#870)#529
don-petry merged 2 commits into
mainfrom
feat/audit-ring-aware

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Summary

Makes check_centralized_workflow_stubs in compliance-audit.sh ring-aware so the audit accepts a repo's canary-ring channel pin (epic #495) for the 6 #482 reusables. This must land before any stub is repinned onto a ring channel — otherwise dev-lead remediation reverts the change (the #482 revert-collision lesson; audit-first ordering).

What changed

  • ring_tier_for_repo() — new helper mapping each repo to its ring tier:
    • next.github-private
    • ring0.github (dogfood; self-hosts via @main, skipped by the stub check — informational)
    • ring1TalkTerm, bmad-bgreat-suite
    • stable → broad fleet
    • Mirrors the epic docs(standards): add Advanced Security (GHAS) org standard #495 topology and .github-private/scripts/cut-release.sh channels.
  • RING sentinel — the 6 reusables (auto-rebase, dependency-audit, dependabot-automerge, dependabot-rebase, agent-shield, pr-review-mention) now use a RING canonical. At check time it resolves to the repo's tier channel (e.g. agent-shield/ring1 on a ring1 repo). The transitional legacy grace accepts every ring channel plus the pre-ring @v1/@v2 pins, so no stub is flagged or reverted mid-migration.
  • feature-ideation stays a fixed @v1 pin (not on the ring model).

Tests

  • 4 new bats cases for ring_tier_for_repo; existing stub_pin_acceptable cases unchanged (signature preserved). 11/11 pass.
  • shellcheck --severity=warning clean.

Refs #870

🤖 Generated with Claude Code

The 6 #482 reusables (auto-rebase, dependency-audit, dependabot-automerge,
dependabot-rebase, agent-shield, pr-review-mention) are moving onto the
canary-ring model (epic #495). The compliance audit must ACCEPT a repo's
ring-tier channel pin before any stub is repinned — otherwise dev-lead
remediation reverts the change, the #482 revert-collision lesson.

Changes:
- Add ring_tier_for_repo(): maps each repo to its tier
  (next=.github-private, ring0=.github, ring1=TalkTerm+bmad-bgreat-suite,
  stable=broad fleet). Mirrors the epic #495 topology and cut-release.sh.
- check_centralized_workflow_stubs: the 6 reusables now carry a `RING`
  sentinel canonical. At check time the expected pin resolves to the repo's
  tier channel (e.g. agent-shield/ring1 on a ring1 repo); the transitional
  legacy grace accepts every ring channel plus the pre-ring @v1/@v2 pins so
  no stub is flagged or reverted mid-migration.
- feature-ideation stays a fixed @v1 pin (not on the ring model).
- bats: 4 new cases covering ring_tier_for_repo; existing stub_pin_acceptable
  cases unchanged (signature preserved). 11/11 pass.

Refs #870
@don-petry don-petry requested a review from a team as a code owner June 25, 2026 02:51
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@don-petry

Copy link
Copy Markdown
Contributor Author

@donpetry-bot please review

@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 50 minutes and 45 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8186858d-40cd-45c6-848c-ad1a71f3b4ed

📥 Commits

Reviewing files that changed from the base of the PR and between acec895 and 58fcd2f.

📒 Files selected for processing (2)
  • scripts/compliance-audit.sh
  • test/scripts/compliance-audit/centralized-stub-pins.bats
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/audit-ring-aware

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@donpetry-bot

Copy link
Copy Markdown
Contributor

@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@don-petry don-petry enabled auto-merge (squash) June 25, 2026 02:51

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a canary-ring model for reusable workflows, mapping repositories to specific tiers (next, ring0, ring1, stable) and dynamically resolving their canonical pins and legacy accepted channels. Feedback suggests adding an explicit return 0 to the ring_tier_for_repo function in scripts/compliance-audit.sh to make its intent self-documenting and avoid inheriting the exit status of the preceding command.

Comment thread scripts/compliance-audit.sh
@don-petry don-petry disabled auto-merge June 25, 2026 02:52
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jun 25, 2026
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (applied)

Changes committed and pushed.

@sonarqubecloud

Copy link
Copy Markdown

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@don-petry don-petry enabled auto-merge (squash) June 25, 2026 02:55

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 58fcd2f698d6abf72d7f99b6479cf553e20cfd4e
Review mode: triage-approved (single reviewer)

Summary

Makes check_centralized_workflow_stubs in compliance-audit.sh ring-aware via a new ring_tier_for_repo() helper and a RING sentinel for the 6 #482 reusables. The sentinel resolves each reusable's canonical pin to the repo's ring-tier channel (next/ring0/ring1/stable) and accepts all ring channels plus the legacy v1/v2 pins, so no stub is flagged or reverted mid-migration. Scoped, well-tested audit-logic change; +82/-12 across the script and its bats suite.

Linked issue analysis

No closing issue (closingIssuesReferences empty); PR is a Refs #870 follow-on enabling epic #495 ring topology and explicitly lands audit-first so dev-lead remediation cannot revert a ring repin (the #482 revert-collision lesson). The diff delivers exactly what the description claims: tier mapping, RING resolution, and per-repo legacy grace.

Findings

No blocking issues.

  • Correctness: recomputed canonical/legacy flow correctly into stub_pin_acceptable, which splits the CSV into an anchored uses: alternation regex; the 4-arg signature is preserved so existing cases are unaffected.
  • chan derivation (${reusable%-reusable}) and ring_tier_for_repo mapping match the stated epic #495 topology and cut-release.sh channels; feature-ideation correctly stays a fixed @v1 pin.
  • The widened acceptance set (all ring channels + v1,v2) is intentional migration grace and stays anchored to petry-projects/.github reusables, so it is not a pin-laxity security smell.
  • Secret-scan MCP tool unavailable in this run; relied on the green gitleaks CI check. No secrets in diff.
  • Tests: 4 new ring_tier_for_repo bats cases added; existing stub_pin_acceptable cases unchanged.

CI status

All required checks green: Lint, ShellCheck, Lint and bats, CodeQL, Agent Security Scan, AgentShield, Secret scan (gitleaks), SonarCloud all SUCCESS. Ecosystem audits (npm/pnpm/pip/cargo/go) SKIPPED as N/A. mergeStateStatus BLOCKED only on REVIEW_REQUIRED.


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

@don-petry don-petry merged commit de8234f into main Jun 25, 2026
23 checks passed
@don-petry don-petry deleted the feat/audit-ring-aware branch June 25, 2026 02:58
don-petry added a commit to petry-projects/TalkTerm that referenced this pull request Jun 25, 2026
Move this repo's 6 #482 reusable caller stubs from their pre-ring pins
(@stable / @v1 / @v2 / SHA) onto the canary-ring `<name>/ring1` channels
(epic #495). The ring1 channels were cut at the currently-running proven
version (376a4fcb), so this is a zero-behavior-change repin — promotion to
newer code is a separate soak-gated step.

The ring-aware compliance audit (petry-projects/.github#529) already accepts
these channels, so dev-lead remediation will not revert them (#482 lesson).

Refs #870

Co-authored-by: Claude Code Bot <bot@petry-projects>
don-petry added a commit to petry-projects/bmad-bgreat-suite that referenced this pull request Jun 25, 2026
Move this repo's 6 #482 reusable caller stubs from their pre-ring pins
(@stable / @v1 / @v2 / SHA) onto the canary-ring `<name>/ring1` channels
(epic #495). The ring1 channels were cut at the currently-running proven
version (376a4fcb), so this is a zero-behavior-change repin — promotion to
newer code is a separate soak-gated step.

The ring-aware compliance audit (petry-projects/.github#529) already accepts
these channels, so dev-lead remediation will not revert them (#482 lesson).

Refs #870

Co-authored-by: Claude Code Bot <bot@petry-projects>
don-petry pushed a commit to petry-projects/.github-private that referenced this pull request Jun 25, 2026
dev-lead's auto-remediation (7dc7c16) partly reverted this PR: it correctly
moved the dependency-audit test to @dependency-audit/next but "fixed" the
auto-rebase-stub failure by reverting auto-rebase.yml back to @auto-rebase/stable
instead of updating the test — the #482 revert-collision pattern. This restores
the intended next-channel repin and updates the remaining guards:

- .github/workflows/auto-rebase.yml — re-pin @auto-rebase/next.
- tests/dev-lead/integration/test_auto_rebase_stub.py — EXPECTED_REF
  @auto-rebase/stable → @auto-rebase/next.
- .github/workflows/test-dev-lead.yml — auto-rebase-stub step name → /next.
- tests/test_dependabot.bats — assert dependabot-automerge/next and reject any
  off-channel pin (vN / SHA / stable / ringN).

dev-lead's dependency-audit/next changes are kept as-is. All five .github-private
reusable stubs are now on their <name>/next channels; the ring-aware compliance
audit (petry-projects/.github#529) accepts them.

Refs #870
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 25, 2026
* chore: repin centralized stubs to next ring channel (#870)

Move this repo's 6 #482 reusable caller stubs from their pre-ring pins
(@stable / @v1 / @v2 / SHA) onto the canary-ring `<name>/next` channels
(epic #495). The next channels were cut at the currently-running proven
version (376a4fcb), so this is a zero-behavior-change repin — promotion to
newer code is a separate soak-gated step.

The ring-aware compliance audit (petry-projects/.github#529) already accepts
these channels, so dev-lead remediation will not revert them (#482 lesson).

Refs #870

* chore: apply manual instructions [skip ci-relay]

* fix: complete next-channel repin + update stub-pin guards (#870)

dev-lead's auto-remediation (7dc7c16) partly reverted this PR: it correctly
moved the dependency-audit test to @dependency-audit/next but "fixed" the
auto-rebase-stub failure by reverting auto-rebase.yml back to @auto-rebase/stable
instead of updating the test — the #482 revert-collision pattern. This restores
the intended next-channel repin and updates the remaining guards:

- .github/workflows/auto-rebase.yml — re-pin @auto-rebase/next.
- tests/dev-lead/integration/test_auto_rebase_stub.py — EXPECTED_REF
  @auto-rebase/stable → @auto-rebase/next.
- .github/workflows/test-dev-lead.yml — auto-rebase-stub step name → /next.
- tests/test_dependabot.bats — assert dependabot-automerge/next and reject any
  off-channel pin (vN / SHA / stable / ringN).

dev-lead's dependency-audit/next changes are kept as-is. All five .github-private
reusable stubs are now on their <name>/next channels; the ring-aware compliance
audit (petry-projects/.github#529) accepts them.

Refs #870

---------

Co-authored-by: Claude Code Bot <bot@petry-projects>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 25, 2026
#531)

* fix: share canary-ring pin model between audit and deploy sweep (#482)

#482's root cause is that the per-reusable canonical pin was encoded
independently in three places (template, compliance audit, deploy sweep) and
diverged. The audit became ring-aware in #529/#870, but the deploy sweep's
`is_already_compliant` was still a literal substring match on the template's
@<name>/stable pin — so a fleet sweep reported every ring1/next repo as
"drifted" and would have reverted the intentional ring pins back to stable
(criterion 2 unmet; the dry-run was dirty for TalkTerm/bmad/.github-private).

Extract the ring model into `scripts/lib/ring-pins.sh` (single source of truth)
and source it from both consumers:

- ring_tier_for_repo / ring_canonical_ref / ring_accepted_refs / ring_legacy_csv
  + the RING_REUSABLES set (now incl. dev-lead, which is ring-released too).
- compliance-audit.sh: drop the duplicate ring_tier_for_repo and compute the
  RING canonical/legacy via the lib — behaviour-identical, 11/11 stub bats pass.
- deploy-standard-workflows.sh: is_already_compliant now accepts a repo's tier
  channel (and the transitional grace) for ring reusables, so the sweep never
  reverts a ring/next pin; non-ring templates keep the exact-match rule.

Now "drift" (deploy) and "non-compliant" (audit) are computed from the same
code and cannot diverge again. Full-fleet dry-run drops from
TalkTerm+bmad+.github-private noise to only the two genuine off-channel (SHA)
pins (ContentTwin ×6, TalkTerm dev-lead) — repinned separately.

Tests: new ring-pins.bats (5) + two ring-aware dry-run cases.

Refs #482

* fix(reviews): address review comments [skip ci-relay]

---------

Co-authored-by: Claude Code Bot <bot@petry-projects>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants