Skip to content

feat: implement issue #253 — Compliance: non-stub-agent-shield.yml#268

Closed
don-petry wants to merge 4 commits into
mainfrom
dev-lead/issue-253-20260526-1710
Closed

feat: implement issue #253 — Compliance: non-stub-agent-shield.yml#268
don-petry wants to merge 4 commits into
mainfrom
dev-lead/issue-253-20260526-1710

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Closes #253

Implemented by dev-lead agent. Please review.

Copilot AI review requested due to automatic review settings May 26, 2026 17:12
@don-petry don-petry requested a review from a team as a code owner May 26, 2026 17:12
@coderabbitai

coderabbitai Bot commented May 26, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 59 minutes and 37 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: de00fb2a-9eb8-4e5f-94d9-79f1412e8c3f

📥 Commits

Reviewing files that changed from the base of the PR and between 61aa4ee and e59d46f.

📒 Files selected for processing (2)
  • .github/workflows/agent-shield.yml
  • .gitignore
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dev-lead/issue-253-20260526-1710

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds a duplicate .dev-lead/ entry to the .gitignore file. The review feedback correctly points out that this entry is already defined multiple times in the file, making the addition redundant, and suggests removing it.

Comment thread .gitignore Outdated
.dev-lead/
.dev-lead/
.dev-lead/
.dev-lead/

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

low

The entry .dev-lead/ is already defined multiple times in this file. Adding another duplicate entry is redundant. Please remove this line.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Implements compliance remediation for issue #253 by updating the repository’s AgentShield centralized workflow to use the canonical reusable workflow reference pinned to @v1.

Changes:

  • Updated .github/workflows/agent-shield.yml to call the org reusable workflow at @v1 and added with: inputs.
  • Added another .dev-lead/ entry to .gitignore (already duplicated in the file).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File Description
.gitignore Adds an additional .dev-lead/ ignore entry (introduces further duplication).
.github/workflows/agent-shield.yml Switches AgentShield reusable workflow reference to @v1 and configures inputs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/agent-shield.yml Outdated
with:
min-severity: medium
agentshield-version: latest
required-files: []
Comment on lines +1 to +7
# This file is a THIN CALLER STUB. The AgentShield CLI scan and the
# org-specific structural checks live in the reusable workflow above.
#
# AGENTS — READ BEFORE EDITING:
# • This file is a THIN CALLER STUB. The AgentShield CLI scan and the
# org-specific structural checks live in the reusable workflow above.
# • You MAY change: the `with:` inputs (min-severity, agentshield-version,
# required-files, org-standards-ref) — only if your repo genuinely needs
# a different policy.
# • You MUST NOT change: trigger events, the `uses:` line, or the job name
# (used as a required status check).
# • If you need different behaviour beyond the inputs, open a PR against
# the reusable in the central repo.
# ─────────────────────────────────────────────────────────────────────────────
#
# AgentShield — thin caller for the org-level reusable.
# To adopt: copy this file to .github/workflows/agent-shield.yml in your repo.
# Agents may adjust input parameters (min-severity, agentshield-version,
# required-files, org-standards-ref) if their repo has specific needs.
# Everything else must remain unchanged.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 58e8c990ec

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/agent-shield.yml Outdated
jobs:
agent-shield:
uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@376a4fcb1117444595e3e702fa450873d0e54310 # v2
uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@v1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Pin reusable workflow to immutable commit

Use an immutable SHA for the reusable workflow instead of the mutable @v1 tag. In this file the previous revision was SHA-pinned, but this change reintroduces ref drift: a future tag move can silently change policy enforcement or break the required agent-shield / AgentShield check without any change in this repo. Pinning to a commit restores reproducible and auditable CI behavior.

Useful? React with 👍 / 👎.

Comment thread .github/workflows/agent-shield.yml Outdated
jobs:
agent-shield:
uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@376a4fcb1117444595e3e702fa450873d0e54310 # v2
uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@v1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Avoid downgrading reusable workflow major version

This change switches the reusable workflow reference from a commit previously documented as v2 to @v1, which is a major-version downgrade. That can remove checks or behavior expected by current branch-protection policy and make the agent-shield / AgentShield status check inconsistent across runs. Keep the caller on the current major line (and pin that exact revision) to avoid regressing enforcement.

Useful? React with 👍 / 👎.

Comment thread .github/workflows/agent-shield.yml Outdated
with:
min-severity: medium
agentshield-version: latest
required-files: []

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Pass required-files as string input, not YAML array

Reusable-workflow inputs under workflow_call are typed as string|number|boolean, and caller with: values must match that declared type; required-files: [] is a YAML sequence, not a scalar string. If the reusable expects a string input (which is the only way to represent lists there), this causes workflow validation/runtime failure and the agent-shield required check will not report correctly.

Useful? React with 👍 / 👎.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7032dac88e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

min-severity: medium
agentshield-version: latest
required-files: []
org-standards-ref: petry-projects/.github/main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Use an org reference regex that matches AGENTS.md

With the v1 reusable workflow, org-standards-ref is passed directly to grep -qiE "$ORG_REF" AGENTS.md in the “Validate cross-references” step. The current repository’s AGENTS.md references petry-projects/.github/blob/main/..., so this new value (petry-projects/.github/main) does not match and the AgentShield job will fail on every push/PR even though the required org-standards link is present.

Useful? React with 👍 / 👎.

uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@v1
with:
min-severity: medium
agentshield-version: latest

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Pin the AgentShield CLI version

This overrides the reusable workflow’s pinned ecc-agentshield default with latest, so the required AgentShield check can change behavior or start failing when a new npm release is published, without any change in this repo. In CI contexts where this check gates merges, keep this input on a concrete version so scan policy and failures remain reproducible.

Useful? React with 👍 / 👎.

@github-actions

Copy link
Copy Markdown
Contributor

CI Failure: SonarCloud Code Analysis

Step: SonarCloud Code Analysis (Quality Gate)
Root cause: Config error

The PR changes .github/workflows/agent-shield.yml to reference the reusable workflow via a mutable tag (@v1) instead of the previously-pinned commit SHA (@376a4fcb1117444595e3e702fa450873d0e54310). SonarCloud flags this as a security vulnerability: mutable tags can be silently updated to point to different (potentially malicious) code, making builds non-deterministic and supply-chain-unsafe. This violation causes the SonarCloud Quality Gate to fail.

Suggested fix: Replace uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@v1 with the pinned SHA reference uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@376a4fcb1117444595e3e702fa450873d0e54310 # v2 (or the correct SHA for v1 if a downgrade is intentional) to satisfy the security requirement.

View run logs

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (applied)

Changes committed and pushed.

@sonarqubecloud

sonarqubecloud Bot commented Jun 1, 2026

Copy link
Copy Markdown

@don-petry

Copy link
Copy Markdown
Contributor Author

Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead.

@don-petry don-petry closed this Jun 2, 2026
auto-merge was automatically disabled June 2, 2026 12:23

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: non-stub-agent-shield.yml

3 participants