Skip to content

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db#143

Merged
don-petry merged 3 commits into
mainfrom
dependabot/github_actions/petry-projects/dot-github/dot-github/workflows/dependabot-automerge-reusable.yml-0bba48104323486ac3b003ba3eba0ef747d9a7db
May 7, 2026
Merged

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db#143
don-petry merged 3 commits into
mainfrom
dependabot/github_actions/petry-projects/dot-github/dot-github/workflows/dependabot-automerge-reusable.yml-0bba48104323486ac3b003ba3eba0ef747d9a7db

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026

Copy link
Copy Markdown
Contributor

Bumps petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.

Commits
  • 0bba481 docs: document OIDC immutability constraint and exempt claude.yml from SHA pi...
  • ba10e66 fix: update auto-rebase template SHA to version containing the reusable workflow
  • 126c144 feat: add auto-rebase workflow for non-Dependabot PRs
  • e945246 fix(claude-ci-fix): resolve PR via API when check_run payload is empty
  • 3a467f4 improve: clarify reusable workflow path error message (CRITICAL not false pos...
  • 956b396 fix: correct reusable workflow path syntax (remove duplicate .github) (#154)
  • 492f3eb feat(feature-ideation): report estimated execution cost in step summary (#153)
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

…-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Dependency update PRs security Security-related PRs and issues labels Apr 27, 2026
@dependabot dependabot Bot requested a review from don-petry as a code owner April 27, 2026 06:14
@dependabot dependabot Bot added dependencies Dependency update PRs security Security-related PRs and issues labels Apr 27, 2026
…-github/dot-github/workflows/dependabot-automerge-reusable.yml-0bba48104323486ac3b003ba3eba0ef747d9a7db
@dependabot @github

dependabot Bot commented on behalf of github May 4, 2026

Copy link
Copy Markdown
Contributor Author

A newer version of petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

@don-petry

Copy link
Copy Markdown
Contributor

@dependabot rebase

@dependabot @github

dependabot Bot commented on behalf of github May 4, 2026

Copy link
Copy Markdown
Contributor Author

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

…-github/dot-github/workflows/dependabot-automerge-reusable.yml-0bba48104323486ac3b003ba3eba0ef747d9a7db
@petry-projects-dependabot-automrg petry-projects-dependabot-automrg Bot requested a review from a team as a code owner May 4, 2026 20:37
@sonarqubecloud

sonarqubecloud Bot commented May 4, 2026

Copy link
Copy Markdown

@don-petry don-petry merged commit ded42ce into main May 7, 2026
31 checks passed
@don-petry don-petry deleted the dependabot/github_actions/petry-projects/dot-github/dot-github/workflows/dependabot-automerge-reusable.yml-0bba48104323486ac3b003ba3eba0ef747d9a7db branch May 7, 2026 03:46
don-petry pushed a commit that referenced this pull request Jun 20, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
…-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Dependency update PRs security Security-related PRs and issues

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant