Skip to content

feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml#193

Merged
don-petry merged 1 commit into
mainfrom
dev-lead/issue-149-20260521-0013
May 21, 2026
Merged

feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml#193
don-petry merged 1 commit into
mainfrom
dev-lead/issue-149-20260521-0013

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Closes #149

Implemented by dev-lead agent. Please review.

@don-petry don-petry requested a review from a team as a code owner May 21, 2026 00:13
Copilot AI review requested due to automatic review settings May 21, 2026 00:13
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@coderabbitai

coderabbitai Bot commented May 21, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 38 minutes and 10 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 89072892-60e9-4188-a3bc-5e532fc1e797

📥 Commits

Reviewing files that changed from the base of the PR and between 21c99b5 and ad83181.

📒 Files selected for processing (2)
  • .github/workflows/dependabot-automerge.yml
  • .gitignore
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dev-lead/issue-149-20260521-0013

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ad83181456

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

contents: read
pull-requests: read
uses: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@0bba48104323486ac3b003ba3eba0ef747d9a7db # v1
uses: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@v1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Pin reusable workflow to immutable commit SHA

Switching jobs.dependabot-automerge.uses from a full commit SHA to @v1 makes this pull_request_target workflow consume a mutable ref while still inheriting secrets, so a future tag retarget in petry-projects/.github could change executed code in this repo without any local workflow diff and run with APP_PRIVATE_KEY/token privileges. Keep the reusable workflow pinned to a specific SHA to preserve reviewability and supply-chain safety.

Useful? React with 👍 / 👎.

@don-petry don-petry merged commit 3833a8d into main May 21, 2026
17 of 18 checks passed
@don-petry don-petry deleted the dev-lead/issue-149-20260521-0013 branch May 21, 2026 00:16

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Implements issue #149 by updating the Dependabot automerge workflow reference and adjusting repository ignore patterns.

Changes:

  • Updated the reusable workflow reference for Dependabot automerge to use the v1 ref.
  • Added another .dev-lead/ entry to .gitignore.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
.gitignore Adds an additional ignore entry for .dev-lead/.
.github/workflows/dependabot-automerge.yml Changes the reusable workflow reference from a pinned SHA to the v1 ref.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

contents: read
pull-requests: read
uses: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@0bba48104323486ac3b003ba3eba0ef747d9a7db # v1
uses: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@v1
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 21, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…e.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: non-stub-dependabot-automerge.yml

3 participants