Skip to content

fix: pin dependabot-automerge reusable workflow to SHA#124

Merged
don-petry merged 4 commits into
mainfrom
claude/issue-87-20260420-1232
Apr 26, 2026
Merged

fix: pin dependabot-automerge reusable workflow to SHA#124
don-petry merged 4 commits into
mainfrom
claude/issue-87-20260420-1232

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Summary

Closes #87

Generated with Claude Code

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sonarqubecloud

Copy link
Copy Markdown

@don-petry

Copy link
Copy Markdown
Contributor Author

@don-petry — this is the code owner for .github/. The change pins dependabot-automerge-reusable.yml@v1 to its current SHA (ee22b427) to resolve the compliance audit finding in issue #87. The v1 tag was updated since the prior fix attempt (PR #102), which is why that fix no longer satisfied the audit. Please review and merge when ready.

@coderabbitai

coderabbitai Bot commented Apr 20, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 59 minutes and 58 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 59 minutes and 58 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c4df83de-bb1b-48ee-9a22-cd6c873da844

📥 Commits

Reviewing files that changed from the base of the PR and between fe430de and 0393048.

📒 Files selected for processing (1)
  • .github/workflows/dependabot-automerge.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-87-20260420-1232

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI review requested due to automatic review settings April 25, 2026 18:29
@don-petry don-petry removed the request for review from Copilot April 25, 2026 18:29
@don-petry

Copy link
Copy Markdown
Contributor Author

Automated review — APPROVED

Risk: MEDIUM
Reviewed commit: f886b680de849558193cfabc546b162f47e5ab3b
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

This PR pins a reusable GitHub Actions workflow call from a mutable @v1 tag to an immutable commit SHA (ee22b427), resolving compliance finding #87. All CI checks pass (CodeQL, SonarQube, CodeRabbit), the change is a single line, and it is a net security improvement with no regressions introduced.

Findings

Info

  • [info] .github/workflows/dependabot-automerge.yml:39 — Pre-existing 'secrets: inherit' passes all caller secrets to the reusable workflow. This is not introduced by this PR but is worth reviewing separately — callers should pass only the minimum required secrets.
  • [info] .github/workflows/dependabot-automerge.yml:39 — SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d cannot be independently verified in this review context, but the PR author (org MEMBER) attests it was retrieved via 'gh api repos/petry-projects/.github/git/refs/tags/v1' and SonarQube/CodeQL scans passed with no findings.

CI status

All CI checks passed (CodeQL, SonarQube, CodeRabbit) with no findings.

Note: GitHub prevents self-approval (PR author = reviewer account). Review posted as comment; a human approver or separate bot token is needed to formally approve.


Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with `@don-petry` if you need a human.

@don-petry don-petry enabled auto-merge (squash) April 25, 2026 21:04
Copilot AI review requested due to automatic review settings April 26, 2026 01:56
@don-petry don-petry removed the request for review from Copilot April 26, 2026 01:56
@don-petry don-petry merged commit 838aa03 into main Apr 26, 2026
3 checks passed
@don-petry don-petry deleted the claude/issue-87-20260420-1232 branch April 26, 2026 01:57
don-petry added a commit that referenced this pull request Jun 20, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: unpinned-actions-dependabot-automerge.yml

1 participant