feat: implement issue #325 — Compliance: non-stub-dependency-audit.yml#340
feat: implement issue #325 — Compliance: non-stub-dependency-audit.yml#340don-petry wants to merge 2 commits into
Conversation
| # compliance-ci-trigger | ||
| # ci-trigger-298 | ||
| .dev-lead/ | ||
| .dev-lead/ |
|
Warning Review limit reached
More reviews will be available in 59 minutes and 39 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8a267d9924
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| jobs: | ||
| dependency-audit: | ||
| uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v2 | ||
| uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1 |
There was a problem hiding this comment.
Restore dependency audit reusable workflow to v2
Pinning dependency-audit back to @v1 regresses the repository to an older security-audit implementation and undoes the prior upgrade to @v2, so future PRs/pushes will run stale dependency-audit logic. In this repo, this file is a thin caller and explicitly treated as a source-of-truth stub, so changing the uses: target version here introduces compliance drift rather than a functional update.
Useful? React with 👍 / 👎.
|
There was a problem hiding this comment.
Pull request overview
Updates the repository’s dependency audit GitHub Actions workflow to comply with the org standard by pinning the reusable workflow reference to @v1.
Changes:
- Pin
.github/workflows/dependency-audit.ymlreusable workflow reference topetry-projects/.github/...@v1. - Update
.gitignore(currently adds an additional duplicate.dev-lead/ignore entry).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .gitignore | Adds another .dev-lead/ ignore entry (now duplicated multiple times). |
| .github/workflows/dependency-audit.yml | Pins dependency audit reusable workflow to @v1 for compliance. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: 87bc09a520782277d1adf76020d468e71c79dc92
Cascade: triage → deep (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7)
Summary
The v2→v1 version change flagged by triage is intentional and correct: issue #325 was auto-created by the weekly compliance audit requiring @v1 as the org standard, and the linked issue body, implementation plan, and org tag history all confirm both versions exist and @v1 is mandated. All CI gates pass (CodeQL, SonarQube quality gate, CodeRabbit). The only defect is a duplicate .dev-lead/ line appended to .gitignore, which is harmless but should be cleaned up before or after merge.
Findings
- INFO: Version change @v2→@v1 in dependency-audit.yml is a compliance restoration, not a downgrade. Issue #325 (auto-created by weekly compliance audit) explicitly requires
petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1as the org standard. Both tags exist in the .github repo; @v1 is the mandated canonical stub version. (.github/workflows/dependency-audit.yml, line 33) - MINOR:
.dev-lead/is now duplicated in .gitignore (lines 12 and 13). The entry already existed before this PR; the auto-fix commit appended it again. Functionally harmless but creates noise. Multiple automated reviewers (Gemini, Copilot) flagged this. Recommend removing the duplicate. (.gitignore, line 13) - INFO: Quote style changes (double→single) and comment alignment in ci-failure-analyst.yml are purely cosmetic prettier auto-fixes applied by the github-actions[bot] commit. No logic change. (
.github/workflows/ci-failure-analyst.yml) - INFO: All CI checks pass: CodeQL (actions, javascript-typescript, python all SUCCESS), SonarQube Quality Gate passed (0 new issues, 0 security hotspots), CodeRabbit SUCCESS.
Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review.
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
|
Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead. |
Pull request was closed



Closes #325
Implemented by dev-lead agent. Please review.