Skip to content

fix: address OpenSSF Scorecard findings#22

Merged
don-petry merged 3 commits into
mainfrom
scorecard-fixes
Mar 28, 2026
Merged

fix: address OpenSSF Scorecard findings#22
don-petry merged 3 commits into
mainfrom
scorecard-fixes

Conversation

@don-petry

@don-petry don-petry commented Mar 27, 2026

Copy link
Copy Markdown
Contributor

Summary

Closes #18, #19, #20, #21

Test plan

  • Verify CI passes on this PR
  • Verify CodeQL runs on push to main
  • Verify no workflow permission errors
  • Re-run OpenSSF Scorecard to confirm improved scores

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Documentation

    • Added a security policy describing supported versions, private vulnerability reporting, required report details, and response timelines (48‑hour ack, 5 business days assessment, 30 days for fixes).
  • Chores

    • Tightened CI workflow permission defaults and restored explicit job-level permissions where required.
    • Pinned third‑party actions to specific revisions for more reproducible workflows.
    • Adjusted an action input key used for an AI/code helper integration.

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 27, 2026 20:44
@coderabbitai

coderabbitai Bot commented Mar 27, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5e7a3924-3f0b-4ff6-9e39-92be96de61b3

📥 Commits

Reviewing files that changed from the base of the PR and between 73a4c22 and ccb56fa.

📒 Files selected for processing (1)
  • .github/workflows/claude.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/claude.yml

📝 Walkthrough

Walkthrough

Top-level GitHub Actions workflow permissions were set to empty (permissions: {}) across workflows with job-level permissions restored where required; several workflow action references were pinned to specific commit SHAs; and a new SECURITY.md was added defining vulnerability reporting and response timelines.

Changes

Cohort / File(s) Summary
Workflows — claude
.github/workflows/claude.yml
Added top-level permissions: {}; renamed Claude action input from anthropic_api_keyclaude_code_oauth_token; job-level permissions unchanged.
Workflows — codeql
.github/workflows/codeql-analysis.yml
Added top-level permissions: {}; pinned actions/checkout@v4 and github/codeql-action/*@v3 steps to commit SHAs; retained analyze job-level permissions.
Workflows — dependabot
.github/workflows/dependabot-automerge.yml
Replaced workflow-level permissions with permissions: {} and reintroduced job-scoped permissions for dependabot; pinned dependabot/fetch-metadata and actions/create-github-app-token to commit SHAs.
Workflows — sonarcloud
.github/workflows/sonarcloud.yml
Set workflow-level permissions: {} and added job-level permissions for the sonarcloud job (contents: read, pull-requests: read).
Security policy
SECURITY.md
Added project security policy with reporting channels (email and private GitHub reports), required report contents, supported versions, and response timeline targets (48h ack, 5 business days assessment, 30 days to fix).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning Changes to Claude workflow action input naming (anthropic_api_key → claude_code_oauth_token) appear unrelated to OpenSSF Scorecard findings or the linked issue #18 about security policy. Explain the rationale for the Claude workflow input change or move it to a separate PR focused on that specific fix.
Linked Issues check ❓ Inconclusive The PR addresses issue #18 by adding a SECURITY.md file; however, the raw_summary and PR description mention addressing issues #19, #20, and #21, but only issue #18 is provided in the linked_issues section for validation. Confirm that workflow permission scoping, action pinning, and SAST enablement changes (related to issues #19-#21) align with their stated requirements, or clarify which issues are in scope for this PR.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'fix: address OpenSSF Scorecard findings' accurately summarizes the main objective of the PR, which is to implement fixes for OpenSSF Scorecard findings related to security policies, workflow permissions, action pinning, and SAST enablement.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch scorecard-fixes

Comment @coderabbitai help to get the list of available commands and usage tips.

Comment thread .github/workflows/claude.yml Fixed
Comment thread .github/workflows/codeql-analysis.yml Fixed
Comment thread .github/workflows/dependabot-automerge.yml Fixed
Comment thread .github/workflows/sonarcloud.yml Fixed

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (6)
SECURITY.md (2)

5-8: Make the support matrix explicit instead of using latest.

Using latest is ambiguous for security response scope. Prefer explicit major/minor ranges (and optionally EOL dates) so reporters know what is in-support.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@SECURITY.md` around lines 5 - 8, Replace the ambiguous "latest" entry in the
security support matrix table in SECURITY.md with explicit version identifiers
and ranges (e.g., "1.4 - 2.x" or "2.0 (EOL 2026-12-31)") and/or EOL dates so the
"Version | Supported" row clearly enumerates supported major/minor versions and
their support status; update the table row that currently reads "| latest |
:white_check_mark: |" to one or more rows that list concrete version ranges or
specific versions and corresponding support indicators.

26-28: Good SLA targets; consider “target” wording for complex cases.

The timelines are clear. Optional tweak: phrase as targets (with status updates when timelines slip) to avoid over-committing on high-complexity incidents.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@SECURITY.md` around lines 26 - 28, Update the three SLA bullets that
currently state firm deadlines ("We will acknowledge receipt of your report
within 48 hours.", "We will provide an initial assessment within 5 business
days.", "We aim to release a fix within 30 days of confirming the
vulnerability.") to describe them as targets (e.g., prefix or rephrase with
"Target:" or "We aim to... and will provide status updates if timelines slip")
and add a short clause indicating that for complex incidents the team will
provide regular status updates if targets cannot be met; ensure the edited lines
preserve the same timeline values but use the word "target" and include a note
about status updates.
.github/workflows/sonarcloud.yml (1)

9-10: Use zero default permissions at workflow scope.

Line 9 uses read-all, which is broader than needed. With explicit job permissions already present, set workflow default to {}.

Suggested change
-permissions: read-all
+permissions: {}
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sonarcloud.yml around lines 9 - 10, The workflow's global
permissions are too broad: replace the top-level "permissions: read-all" setting
with an empty permissions object "{}" so the default workflow scope is
zero-permissions while leaving your existing explicit job-level permissions
intact; locate the "permissions: read-all" entry in the sonarcloud.yml workflow
and change it to "permissions: {}" to enforce least privilege.
.github/workflows/claude.yml (1)

12-12: Tighten default workflow token permissions.

Line 12 sets a broad default (read-all). Since this workflow already grants explicit job permissions, switch the workflow default to none to prevent future jobs from inheriting unintended scopes.

Suggested change
-permissions: read-all
+permissions: {}
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml at line 12, The workflow default permission is
set to the overly-broad value "permissions: read-all"; change the top-level
default to "permissions: none" so jobs do not inherit unintended scopes, while
keeping any explicit job- or step-level permissions intact (update the
occurrence of permissions: read-all to permissions: none and verify existing
explicit job permissions remain as intended).
.github/workflows/codeql-analysis.yml (1)

13-14: Reduce workflow-level permission blast radius.

Line 13 introduces read-all; with explicit job-level permissions already in place, defaulting to {} is safer and keeps least-privilege stricter for future jobs.

Suggested change
-permissions: read-all
+permissions: {}
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql-analysis.yml around lines 13 - 14, The workflow
sets a broad workflow-level permission ("permissions: read-all") which increases
blast radius; change it to the least privileged default by removing or replacing
that top-level "permissions: read-all" with an empty permissions object
("permissions: {}") and rely on the existing explicit job-level permissions,
ensuring no job inherits unnecessary read-all privileges.
.github/workflows/dependabot-automerge.yml (1)

8-8: Avoid broad workflow defaults for GITHUB_TOKEN.

Line 8 sets read-all globally. Since the dependabot job already declares the required write scopes, prefer a zero default at workflow level.

Suggested change
-permissions: read-all
+permissions: {}
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependabot-automerge.yml at line 8, The workflow currently
sets a broad default for GITHUB_TOKEN with "permissions: read-all"; change the
workflow-level permission to a zero default (e.g., "permissions: none") and rely
on the existing explicit permissions declared on the dependabot job so only the
job gets the write scopes it needs; update/remove the "permissions: read-all"
entry and verify the dependabot job still declares its required write
permissions.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@SECURITY.md`:
- Line 15: Replace the ambiguous phrase "send an email to the repository
maintainers" in SECURITY.md with a concrete contact address or link (for example
a dedicated mailbox like security@yourdomain.tld or a link to contact
instructions), and optionally include instructions for encrypted reports (PGP
key fingerprint) and expected response time so reporters have a guaranteed,
secure reporting path; update the sentence that currently reads "Instead, please
send an email to the repository maintainers or use [GitHub's private
vulnerability reporting]..." to reference the explicit contact address or link
and any encryption guidance.

---

Nitpick comments:
In @.github/workflows/claude.yml:
- Line 12: The workflow default permission is set to the overly-broad value
"permissions: read-all"; change the top-level default to "permissions: none" so
jobs do not inherit unintended scopes, while keeping any explicit job- or
step-level permissions intact (update the occurrence of permissions: read-all to
permissions: none and verify existing explicit job permissions remain as
intended).

In @.github/workflows/codeql-analysis.yml:
- Around line 13-14: The workflow sets a broad workflow-level permission
("permissions: read-all") which increases blast radius; change it to the least
privileged default by removing or replacing that top-level "permissions:
read-all" with an empty permissions object ("permissions: {}") and rely on the
existing explicit job-level permissions, ensuring no job inherits unnecessary
read-all privileges.

In @.github/workflows/dependabot-automerge.yml:
- Line 8: The workflow currently sets a broad default for GITHUB_TOKEN with
"permissions: read-all"; change the workflow-level permission to a zero default
(e.g., "permissions: none") and rely on the existing explicit permissions
declared on the dependabot job so only the job gets the write scopes it needs;
update/remove the "permissions: read-all" entry and verify the dependabot job
still declares its required write permissions.

In @.github/workflows/sonarcloud.yml:
- Around line 9-10: The workflow's global permissions are too broad: replace the
top-level "permissions: read-all" setting with an empty permissions object "{}"
so the default workflow scope is zero-permissions while leaving your existing
explicit job-level permissions intact; locate the "permissions: read-all" entry
in the sonarcloud.yml workflow and change it to "permissions: {}" to enforce
least privilege.

In `@SECURITY.md`:
- Around line 5-8: Replace the ambiguous "latest" entry in the security support
matrix table in SECURITY.md with explicit version identifiers and ranges (e.g.,
"1.4 - 2.x" or "2.0 (EOL 2026-12-31)") and/or EOL dates so the "Version |
Supported" row clearly enumerates supported major/minor versions and their
support status; update the table row that currently reads "| latest |
:white_check_mark: |" to one or more rows that list concrete version ranges or
specific versions and corresponding support indicators.
- Around line 26-28: Update the three SLA bullets that currently state firm
deadlines ("We will acknowledge receipt of your report within 48 hours.", "We
will provide an initial assessment within 5 business days.", "We aim to release
a fix within 30 days of confirming the vulnerability.") to describe them as
targets (e.g., prefix or rephrase with "Target:" or "We aim to... and will
provide status updates if timelines slip") and add a short clause indicating
that for complex incidents the team will provide regular status updates if
targets cannot be met; ensure the edited lines preserve the same timeline values
but use the word "target" and include a note about status updates.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f0f1de7c-a7a4-4d8f-8f80-5b1f6d7cdca1

📥 Commits

Reviewing files that changed from the base of the PR and between 1184c97 and 68e147f.

📒 Files selected for processing (5)
  • .github/workflows/claude.yml
  • .github/workflows/codeql-analysis.yml
  • .github/workflows/dependabot-automerge.yml
  • .github/workflows/sonarcloud.yml
  • SECURITY.md

Comment thread SECURITY.md Outdated

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s security posture in response to OpenSSF Scorecard findings by adding a security policy and tightening GitHub Actions configurations (token permissions, dependency pinning, and SAST coverage).

Changes:

  • Add SECURITY.md to document a vulnerability reporting policy.
  • Restrict GitHub Actions workflow/job token permissions using workflow defaults plus per-job overrides.
  • Pin GitHub Actions dependencies to specific commit SHAs and ensure CodeQL runs on push to main.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
SECURITY.md Introduces a security policy and vulnerability reporting guidance.
.github/workflows/sonarcloud.yml Moves to workflow-level permissions defaults + job-level least-privilege; pins actions.
.github/workflows/dependabot-automerge.yml Adds workflow/job permission scoping; pins actions used by the workflow.
.github/workflows/codeql-analysis.yml Ensures CodeQL runs on push to main, scopes permissions, and pins actions.
.github/workflows/claude.yml Adds workflow-level permissions default and keeps explicit job-level permissions; pins action.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/codeql-analysis.yml
Comment thread .github/workflows/dependabot-automerge.yml
- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
SECURITY.md (1)

5-8: Clarify supported-version scope beyond latest.

Using only latest is a bit ambiguous during triage. Consider listing concrete supported release lines (or main/release branches) so reporters can clearly determine support status.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@SECURITY.md` around lines 5 - 8, Update the SECURITY.md supported-versions
table to replace the ambiguous "latest" entry with explicit supported release
lines or branches (for example "main", "v1.x", "v2.x" or specific supported
tags) and clearly mark each as supported or EOL; edit the table row that
currently shows "| latest | :white_check_mark: |" to list the concrete
branches/tags and their support status so reporters can unambiguously determine
whether their version is supported.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@SECURITY.md`:
- Around line 5-8: Update the SECURITY.md supported-versions table to replace
the ambiguous "latest" entry with explicit supported release lines or branches
(for example "main", "v1.x", "v2.x" or specific supported tags) and clearly mark
each as supported or EOL; edit the table row that currently shows "| latest |
:white_check_mark: |" to list the concrete branches/tags and their support
status so reporters can unambiguously determine whether their version is
supported.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f72d4435-d239-4efe-b18a-939ef8d57302

📥 Commits

Reviewing files that changed from the base of the PR and between 68e147f and 73a4c22.

📒 Files selected for processing (5)
  • .github/workflows/claude.yml
  • .github/workflows/codeql-analysis.yml
  • .github/workflows/dependabot-automerge.yml
  • .github/workflows/sonarcloud.yml
  • SECURITY.md
✅ Files skipped from review due to trivial changes (1)
  • .github/workflows/sonarcloud.yml
🚧 Files skipped from review as they are similar to previous changes (2)
  • .github/workflows/claude.yml
  • .github/workflows/dependabot-automerge.yml

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.
@sonarqubecloud

Copy link
Copy Markdown

@don-petry don-petry merged commit dc68091 into main Mar 28, 2026
13 of 14 checks passed
@don-petry don-petry deleted the scorecard-fixes branch March 28, 2026 13:30
don-petry added a commit that referenced this pull request Jun 20, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…564 (#271)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #272 — Compliance: dev-lead-stub-pin (#297)

* feat: implement issue #272 — Compliance: dev-lead-stub-pin

* chore: apply manual instructions [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* ci(dev-lead): pin caller to @dev-lead/ring1 (staged canary) (#306)

* ci(dev-lead): pin caller to @dev-lead/ring1 (staged canary ring)

* fix(security): suppress gitleaks false positives for commit c5099d1

Adds .gitleaksignore fingerprints for commit c5099d1 which contains
the same SHA256 content checksums in _bmad/_config/files-manifest.csv
that have been documented as false positives in five prior commits.
The generic-api-key rule flags high-entropy hex strings; these are
file-content checksums, not credentials.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: apply manual instructions [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat: implement issue #227 — Compliance: check-suite-auto-trigger-347564

Pin org reusable workflows to @v1 (agent-shield, dependabot-automerge,
dependency-audit) and reinforce repo settings via a weekly schedule plus
self-path trigger and a concurrency group on apply-repo-settings.

Closes #227

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(secret-scan): suppress gitleaks false positives in commit 38e9f74

Added suppression for commit 38e9f74 which
contains the same _bmad/_config/files-manifest.csv CSV rows (SHA256 checksums
of BMAD skill files, not API keys) as previously-reviewed commits. Gitleaks
generic-api-key rule flags high-entropy hex strings; these are file-content
checksums, not credentials.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* fix(secret-scan): suppress additional gitleaks false positive in da36d9b

Commit da36d9b contains the same false-positive generic-api-key findings
in _bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
as earlier commits. These are SHA256 file-content checksums in a manifest
CSV, not API keys. Adding them to .gitleaksignore to resolve the
full-history gitleaks enforcement check failure.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* fix(bot): address bot feedback [skip ci-relay]

* fix(secret-scan): suppress remaining gitleaks false positives

Gitleaks full-history enforcement (CLI scan) found 11 unflagged fingerprints
in two commits:

- f57f035: rebase/merge copy of "chore: add ECC integration, TEA module,
  and slim CLAUDE.md" — all 6 lines (281, 282, 284, 300, 409, 433) in
  _bmad/_config/files-manifest.csv were unregistered.
- 3d0fa15: same commit message variant — lines 281, 282, 284, 300, 409
  were missing; only line 433 had been suppressed.

All findings are SHA256 content checksums in the BMAD files-manifest CSV,
not real credentials. Same false-positive rationale as the previously
suppressed entries above them in .gitleaksignore.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…564 (#271)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #272 — Compliance: dev-lead-stub-pin (#297)

* feat: implement issue #272 — Compliance: dev-lead-stub-pin

* chore: apply manual instructions [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* ci(dev-lead): pin caller to @dev-lead/ring1 (staged canary) (#306)

* ci(dev-lead): pin caller to @dev-lead/ring1 (staged canary ring)

* fix(security): suppress gitleaks false positives for commit c5099d1

Adds .gitleaksignore fingerprints for commit c5099d1 which contains
the same SHA256 content checksums in _bmad/_config/files-manifest.csv
that have been documented as false positives in five prior commits.
The generic-api-key rule flags high-entropy hex strings; these are
file-content checksums, not credentials.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: apply manual instructions [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat: implement issue #227 — Compliance: check-suite-auto-trigger-347564

Pin org reusable workflows to @v1 (agent-shield, dependabot-automerge,
dependency-audit) and reinforce repo settings via a weekly schedule plus
self-path trigger and a concurrency group on apply-repo-settings.

Closes #227

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(secret-scan): suppress gitleaks false positives in commit 38e9f74

Added suppression for commit 38e9f74 which
contains the same _bmad/_config/files-manifest.csv CSV rows (SHA256 checksums
of BMAD skill files, not API keys) as previously-reviewed commits. Gitleaks
generic-api-key rule flags high-entropy hex strings; these are file-content
checksums, not credentials.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* fix(secret-scan): suppress additional gitleaks false positive in da36d9b

Commit da36d9b contains the same false-positive generic-api-key findings
in _bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
as earlier commits. These are SHA256 file-content checksums in a manifest
CSV, not API keys. Adding them to .gitleaksignore to resolve the
full-history gitleaks enforcement check failure.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* fix(bot): address bot feedback [skip ci-relay]

* fix(secret-scan): suppress remaining gitleaks false positives

Gitleaks full-history enforcement (CLI scan) found 11 unflagged fingerprints
in two commits:

- f57f035: rebase/merge copy of "chore: add ECC integration, TEA module,
  and slim CLAUDE.md" — all 6 lines (281, 282, 284, 300, 409, 433) in
  _bmad/_config/files-manifest.csv were unregistered.
- 3d0fa15: same commit message variant — lines 281, 282, 284, 300, 409
  were missing; only line 433 had been suppressed.

All findings are SHA256 content checksums in the BMAD files-manifest CSV,
not real credentials. Same false-positive rationale as the previously
suppressed entries above them in .gitleaksignore.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Scorecard: Security-Policy (0/10)

3 participants