Skip to content

chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1#27

Merged
don-petry merged 1 commit into
mainfrom
dependabot/github_actions/github/codeql-action-4.35.1
Apr 1, 2026
Merged

chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1#27
don-petry merged 1 commit into
mainfrom
dependabot/github_actions/github/codeql-action-4.35.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 30, 2026

Copy link
Copy Markdown
Contributor

Bumps github/codeql-action from 3.35.1 to 4.35.1.

Release notes

Sourced from github/codeql-action's releases.

v4.35.1

v4.35.0

v4.34.1

  • Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

v4.34.0

  • Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
  • We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
  • Update default CodeQL bundle version to 2.25.0. #3585

v4.33.0

  • Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

    To opt out of this change:

    • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

  • The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

  • Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

  • Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

  • A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

v4.32.6

  • Update default CodeQL bundle version to 2.24.3. #3548

v4.32.5

  • Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
  • Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
  • The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
  • Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516
  • Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498
  • Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512
  • The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

v4.32.4

  • Update default CodeQL bundle version to 2.24.2. #3493
  • Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473
  • When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486
  • Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485
  • Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #3484

v4.32.3

  • Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.35.1 - 27 Mar 2026

4.35.0 - 27 Mar 2026

4.34.1 - 20 Mar 2026

  • Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

  • Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
  • We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
  • Update default CodeQL bundle version to 2.25.0. #3585

4.33.0 - 16 Mar 2026

  • Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

    To opt out of this change:

    • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

  • The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

  • Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

  • Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

  • A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

4.32.6 - 05 Mar 2026

  • Update default CodeQL bundle version to 2.24.3. #3548

4.32.5 - 02 Mar 2026

  • Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
  • Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
  • The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515

... (truncated)

Commits
  • 5cc552f Merge pull request #3768 from github/dependabot/npm_and_yarn/npm-minor-3536e7...
  • 6b1a9f2 Merge branch 'main' into dependabot/npm_and_yarn/npm-minor-3536e7c6f0
  • 9d3ec57 Merge pull request #3770 from github/dependabot/github_actions/dot-github/wor...
  • 3ff82aa Merge pull request #3575 from github/mbg/ts/sync-checks
  • 4bdd4e7 Merge pull request #3554 from github/sam-robson/overlay-include-diff
  • 23a0098 fix: improve error handling and logging for diff range path resolution
  • ea7b090 Rebuild
  • a663d01 Bump ruby/setup-ruby
  • b659882 Bump the npm-minor group with 5 updates
  • d5bb39f refactor: single source of truth for getDiffRangesJsonFilePath and simplified...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Dependency update PRs github_actions Pull requests that update GitHub Actions code labels Mar 30, 2026
@don-petry don-petry merged commit 383a510 into main Apr 1, 2026
5 checks passed
@don-petry don-petry deleted the dependabot/github_actions/github/codeql-action-4.35.1 branch April 1, 2026 02:23
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 20, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 20, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 21, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…564 (#271)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #272 — Compliance: dev-lead-stub-pin (#297)

* feat: implement issue #272 — Compliance: dev-lead-stub-pin

* chore: apply manual instructions [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* ci(dev-lead): pin caller to @dev-lead/ring1 (staged canary) (#306)

* ci(dev-lead): pin caller to @dev-lead/ring1 (staged canary ring)

* fix(security): suppress gitleaks false positives for commit c5099d1

Adds .gitleaksignore fingerprints for commit c5099d1 which contains
the same SHA256 content checksums in _bmad/_config/files-manifest.csv
that have been documented as false positives in five prior commits.
The generic-api-key rule flags high-entropy hex strings; these are
file-content checksums, not credentials.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: apply manual instructions [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat: implement issue #227 — Compliance: check-suite-auto-trigger-347564

Pin org reusable workflows to @v1 (agent-shield, dependabot-automerge,
dependency-audit) and reinforce repo settings via a weekly schedule plus
self-path trigger and a concurrency group on apply-repo-settings.

Closes #227

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(secret-scan): suppress gitleaks false positives in commit 38e9f74

Added suppression for commit 38e9f74 which
contains the same _bmad/_config/files-manifest.csv CSV rows (SHA256 checksums
of BMAD skill files, not API keys) as previously-reviewed commits. Gitleaks
generic-api-key rule flags high-entropy hex strings; these are file-content
checksums, not credentials.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* fix(secret-scan): suppress additional gitleaks false positive in da36d9b

Commit da36d9b contains the same false-positive generic-api-key findings
in _bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
as earlier commits. These are SHA256 file-content checksums in a manifest
CSV, not API keys. Adding them to .gitleaksignore to resolve the
full-history gitleaks enforcement check failure.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* fix(bot): address bot feedback [skip ci-relay]

* fix(secret-scan): suppress remaining gitleaks false positives

Gitleaks full-history enforcement (CLI scan) found 11 unflagged fingerprints
in two commits:

- f57f035: rebase/merge copy of "chore: add ECC integration, TEA module,
  and slim CLAUDE.md" — all 6 lines (281, 282, 284, 300, 409, 433) in
  _bmad/_config/files-manifest.csv were unregistered.
- 3d0fa15: same commit message variant — lines 281, 282, 284, 300, 409
  were missing; only line 433 had been suppressed.

All findings are SHA256 content checksums in the BMAD files-manifest CSV,
not real credentials. Same false-positive rationale as the previously
suppressed entries above them in .gitleaksignore.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 22, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 22, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…564 (#271)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #272 — Compliance: dev-lead-stub-pin (#297)

* feat: implement issue #272 — Compliance: dev-lead-stub-pin

* chore: apply manual instructions [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* ci(dev-lead): pin caller to @dev-lead/ring1 (staged canary) (#306)

* ci(dev-lead): pin caller to @dev-lead/ring1 (staged canary ring)

* fix(security): suppress gitleaks false positives for commit c5099d1

Adds .gitleaksignore fingerprints for commit c5099d1 which contains
the same SHA256 content checksums in _bmad/_config/files-manifest.csv
that have been documented as false positives in five prior commits.
The generic-api-key rule flags high-entropy hex strings; these are
file-content checksums, not credentials.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: apply manual instructions [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat: implement issue #227 — Compliance: check-suite-auto-trigger-347564

Pin org reusable workflows to @v1 (agent-shield, dependabot-automerge,
dependency-audit) and reinforce repo settings via a weekly schedule plus
self-path trigger and a concurrency group on apply-repo-settings.

Closes #227

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(secret-scan): suppress gitleaks false positives in commit 38e9f74

Added suppression for commit 38e9f74 which
contains the same _bmad/_config/files-manifest.csv CSV rows (SHA256 checksums
of BMAD skill files, not API keys) as previously-reviewed commits. Gitleaks
generic-api-key rule flags high-entropy hex strings; these are file-content
checksums, not credentials.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* fix(secret-scan): suppress additional gitleaks false positive in da36d9b

Commit da36d9b contains the same false-positive generic-api-key findings
in _bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
as earlier commits. These are SHA256 file-content checksums in a manifest
CSV, not API keys. Adding them to .gitleaksignore to resolve the
full-history gitleaks enforcement check failure.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* fix(bot): address bot feedback [skip ci-relay]

* fix(secret-scan): suppress remaining gitleaks false positives

Gitleaks full-history enforcement (CLI scan) found 11 unflagged fingerprints
in two commits:

- f57f035: rebase/merge copy of "chore: add ECC integration, TEA module,
  and slim CLAUDE.md" — all 6 lines (281, 282, 284, 300, 409, 433) in
  _bmad/_config/files-manifest.csv were unregistered.
- 3d0fa15: same commit message variant — lines 281, 282, 284, 300, 409
  were missing; only line 433 had been suppressed.

All findings are SHA256 content checksums in the BMAD files-manifest CSV,
not real credentials. Same false-positive rationale as the previously
suppressed entries above them in .gitleaksignore.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 23, 2026
…ub (#302)

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* fix: make copilot setup workflow docs-only for current TalkTerm main

TalkTerm default branch currently contains docs/scripts and no lockfile, so
npm setup steps fail. Switch to checkout + verify only (same docs-only
pattern used in ContentTwin and bmad-bgreat-suite) until app source lands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Initial commit

* Install BMad Method v6.2.0 with Claude Code integration

Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module,
36 skills and 9 agents configured for Claude Code.

https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj

* fix: configure CodeQL to scan Python only (#6)

* fix: add CodeQL workflow targeting Python only

* fix: add contents:read permission for checkout step

* chore: add ECC integration, TEA module, and slim CLAUDE.md

- Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules
  into references (ECC rules installed globally via ~/.claude/rules/)
- Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md)
- Install BMad TEA (Test Architect) module with 9 testing workflows
  (ATDD, automate, CI, framework, NFR, test-design, test-review, trace,
  teach-me-testing) plus TEA agent persona
- Register TEA workflow skills in .claude/skills/ for Claude Code access
- Update BMad core to v6.2.2 (restructured _bmad/ directory layout)
- AgentShield security scan: Grade A (100/100)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Claude Code GitHub Action (#15)

* Add Claude Code GitHub Action for PR reviews

* fix: address review feedback on Claude Code workflow

- Restrict issue_comment trigger to PR comments only
- Add author-association check (OWNER/MEMBER/COLLABORATOR)
- Add pull_request_review_comment trigger
- Add timeout-minutes to prevent runaway jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use CLAUDE_CODE_OAUTH_TOKEN org secret

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add id-token: write permission for OAuth auth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining review comments

- Pin claude-code-action to commit SHA for supply-chain safety
- Add fork PR guard (secrets unavailable for fork PRs)
- Scope pull_request trigger to main branch
- Use >- folded scalar for if expression

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address OpenSSF Scorecard findings (#22)

* fix: address OpenSSF Scorecard findings

- Add SECURITY.md (#18)
- Scope workflow token permissions to read-all with per-job overrides (#19)
- Pin all GitHub Action dependencies to commit SHAs (#20)
- Ensure SAST (CodeQL) runs on all push commits to main (#21)

Closes #18, #19, #20, #21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review comments

- Replace permissions: read-all with permissions: {} (deny-by-default)
- Add concrete security contact email to SECURITY.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use claude_code_oauth_token instead of anthropic_api_key

The action has separate inputs for API keys vs OAuth tokens.
CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: skip Claude Code reviewer on Dependabot PRs (#28)

* ci: skip Claude Code reviewer on Dependabot PRs

The claude workflow fails on Dependabot PRs because secrets
(CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor.
This blocks the dependabot auto-merge automation when claude is a
required status check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: use PR author login instead of github.actor for Dependabot check

github.actor reflects who triggered the workflow run (e.g. a maintainer
reopening), not the PR author. Use github.event.pull_request.user.login
for reliable Dependabot detection, consistent with dependabot-automerge.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: move Dependabot exclusion to step-level in Claude workflow (#30)

* ci: move Dependabot exclusion to step-level in Claude workflow

Move the dependabot[bot] check from job-level `if` to step-level `if`
so the claude job runs and reports SUCCESS (with a skipped step) instead
of being skipped entirely. A skipped job doesn't satisfy required status
checks in branch protection, but a successful job with a skipped step does.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: guard step-level Dependabot check for pull_request events only

The step-level if needs to handle issue_comment and
pull_request_review_comment events where github.event.pull_request
is not present. Use event_name guard to avoid null dereference.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@094bd24...88c168b)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34)

Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@bee87b3...1eddb33)

---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.88
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: enable Claude issue trigger per org CI standard (#48)

Add issues:[labeled] event trigger and claude label support so Claude
can work issues autonomously — reading the issue, creating a branch,
implementing the fix, and opening a PR.

Matches the standard defined in petry-projects/.github#24.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add checkout step to Claude workflow for issue-triggered mode (#49)

The claude-code-action runs git fetch/checkout internally during branch
setup but requires the repository to already be cloned on the runner.
Without actions/checkout, issue-triggered runs fail with:
  fatal: not a git repository

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: split Claude workflow into interactive + issue automation jobs (#61)

* feat: split Claude workflow into interactive + issue automation jobs

Aligns with the org standard in petry-projects/.github. The claude-issue
job runs in automation mode with tools to create PRs, self-review,
check CI, and tag code owners when ready.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add concurrency guard and comment tools to claude-issue job

- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools for review
  replies, thread resolution, and code owner tagging
- Remove Bash(cat:*) since the Read tool already covers file reads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: switch to org-level reusable Claude Code workflow (#62)

* chore: add CODEOWNERS file for code review enforcement

Adds .github/CODEOWNERS assigning @don-petry as default code owner
for all files, satisfying the compliance requirement for code owner
review enforcement on pull requests.

Closes #47

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* fix: rename codeql workflow and add javascript-typescript + actions matrix (#81)

- Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required)
- Replace Python with javascript-typescript (matches TalkTerm stack)
- Add actions language scan (required: repo has .github/workflows/*.yml)
- Use matrix strategy for multi-language scanning per ci-standards.md
- Update schedule to Friday 17:00 UTC per org standard

Closes #41

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* chore(workflows): adopt centralized stubs from petry-projects/.github (#82)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: correct reusable workflow path (remove duplicate .github/) (#135)

fix: correct reusable workflow path (remove duplicate .github/ segment)

Changed: petry-projects/.github/.github/workflows/...
To:      petry-projects/.github/workflows/...

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

* Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)"

This reverts commit 2f121a1.

* ci: add auto-rebase workflow and check_run trigger to claude.yml

* add check_run trigger to claude.yml

* add auto-rebase.yml workflow

* chore(ci): remove stray codeql.yml workflow (#115)

The org now uses GitHub-managed CodeQL default setup. The per-repo
codeql.yml was drift and ran a duplicate analysis alongside default
setup. Removing it per the org standard.

Closes #96

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117)

Per org CI standard §2, CodeQL must use GitHub-managed default setup
(Settings → Code security → Code scanning), not a per-repo workflow file.
Per-repo codeql.yml files are treated as drift by the compliance audit.

Actions taken:
- Removed .github/workflows/codeql.yml (drift per-repo advanced setup)
- Re-confirmed default setup via API: state=configured, query_suite=default

The GitHub-managed default setup is already running CodeQL scans.
The compliance audit 403 is a PAT scope issue in the audit bot (needs
Administration:read scope on the audit bot token in petry-projects/.github).

Closes #95

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin dependency-audit reusable workflow to SHA (#120)

Pins the reusable workflow reference in .github/workflows/dependency-audit.yml
from the mutable @v1 tag to the exact commit SHA
ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org
action-pinning policy.

Closes #89

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#123)

Pins agent-shield-reusable.yml@v1 to its commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the
org-wide action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: pin dependabot-automerge reusable workflow to SHA (#124)

Pins `dependabot-automerge-reusable.yml@v1` to commit SHA
`ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the
Action Pinning Policy in ci-standards.md.

Closes #87

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix(ci): pin agent-shield reusable workflow to SHA (#126)

Pins agent-shield-reusable.yml@v1 to its full commit SHA
(ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide
action-pinning policy.

Closes #85

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: add bot accounts to CODEOWNERS for auto-merge support

* chore: standardize CODEOWNERS on @petry-projects/org-leads (#160)

Per the org-wide standard defined in petry-projects/.github
(standards/codeowners-standard.md), replace individual user/bot
listings with the @petry-projects/org-leads team.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143)

chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142)

chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml

Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141)

chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml

Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140)

chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml

Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db.
- [Commits](petry-projects/.github@ee22b42...0bba481)

---
updated-dependencies:
- dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml
  dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>

* chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176)

* feat: implement issue #162 — Compliance: codeowners-no-catchall (#182)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* rollout: deploy pr-review-mention standard workflow (#236)

* rollout: deploy pr-review-mention standard workflow

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* chore: sync 6 org-standard workflow stub(s) from petry-projects/.github

* fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270)

Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: update gitleaksignore aec934f comment to improved format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: add gitleaksignore entries for commit 45b6a8e

Add false-positive suppressions for SHA256 content checksums in
_bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433)
that are flagged by gitleaks' generic-api-key rule. These are
file-content checksums, not credentials — same pattern as prior
commits e8cc095 and aec934f.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Root <donpetry@users.noreply.github.com>
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry pushed a commit that referenced this pull request Jun 23, 2026
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@5c8a8a6...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Dependency update PRs github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant