Skip to content

feat: implement issue #325 — Compliance: non-stub-dependency-audit.yml#340

Closed
don-petry wants to merge 2 commits into
mainfrom
dev-lead/issue-325-20260526-1715
Closed

feat: implement issue #325 — Compliance: non-stub-dependency-audit.yml#340
don-petry wants to merge 2 commits into
mainfrom
dev-lead/issue-325-20260526-1715

Conversation

@don-petry

Copy link
Copy Markdown
Collaborator

Closes #325

Implemented by dev-lead agent. Please review.

Copilot AI review requested due to automatic review settings May 26, 2026 17:18
@don-petry don-petry requested a review from a team as a code owner May 26, 2026 17:18

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a duplicate .dev-lead/ entry in the .gitignore file. The reviewer correctly identified this redundancy and suggested removing it to keep the file clean.

Comment thread .gitignore
# compliance-ci-trigger
# ci-trigger-298
.dev-lead/
.dev-lead/

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

low

The entry .dev-lead/ is already present in this file (on line 12). This duplicate entry is redundant and can be safely removed.

@coderabbitai

coderabbitai Bot commented May 26, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@github-actions[bot], we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 59 minutes and 39 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f9819e6c-3116-43c6-a276-b0b8b03f1fed

📥 Commits

Reviewing files that changed from the base of the PR and between b6c4f09 and 87bc09a.

📒 Files selected for processing (3)
  • .github/workflows/ci-failure-analyst.yml
  • .github/workflows/dependency-audit.yml
  • .gitignore
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dev-lead/issue-325-20260526-1715

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8a267d9924

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

jobs:
dependency-audit:
uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v2
uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restore dependency audit reusable workflow to v2

Pinning dependency-audit back to @v1 regresses the repository to an older security-audit implementation and undoes the prior upgrade to @v2, so future PRs/pushes will run stale dependency-audit logic. In this repo, this file is a thin caller and explicitly treated as a source-of-truth stub, so changing the uses: target version here introduces compliance drift rather than a functional update.

Useful? React with 👍 / 👎.

@sonarqubecloud

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository’s dependency audit GitHub Actions workflow to comply with the org standard by pinning the reusable workflow reference to @v1.

Changes:

  • Pin .github/workflows/dependency-audit.yml reusable workflow reference to petry-projects/.github/...@v1.
  • Update .gitignore (currently adds an additional duplicate .dev-lead/ ignore entry).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
.gitignore Adds another .dev-lead/ ignore entry (now duplicated multiple times).
.github/workflows/dependency-audit.yml Pins dependency audit reusable workflow to @v1 for compliance.

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: MEDIUM
Reviewed commit: 87bc09a520782277d1adf76020d468e71c79dc92
Cascade: triage → deep (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7)

Summary

The v2→v1 version change flagged by triage is intentional and correct: issue #325 was auto-created by the weekly compliance audit requiring @v1 as the org standard, and the linked issue body, implementation plan, and org tag history all confirm both versions exist and @v1 is mandated. All CI gates pass (CodeQL, SonarQube quality gate, CodeRabbit). The only defect is a duplicate .dev-lead/ line appended to .gitignore, which is harmless but should be cleaned up before or after merge.

Findings

  • INFO: Version change @v2@v1 in dependency-audit.yml is a compliance restoration, not a downgrade. Issue #325 (auto-created by weekly compliance audit) explicitly requires petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1 as the org standard. Both tags exist in the .github repo; @v1 is the mandated canonical stub version. (.github/workflows/dependency-audit.yml, line 33)
  • MINOR: .dev-lead/ is now duplicated in .gitignore (lines 12 and 13). The entry already existed before this PR; the auto-fix commit appended it again. Functionally harmless but creates noise. Multiple automated reviewers (Gemini, Copilot) flagged this. Recommend removing the duplicate. (.gitignore, line 13)
  • INFO: Quote style changes (double→single) and comment alignment in ci-failure-analyst.yml are purely cosmetic prettier auto-fixes applied by the github-actions[bot] commit. No logic change. (.github/workflows/ci-failure-analyst.yml)
  • INFO: All CI checks pass: CodeQL (actions, javascript-typescript, python all SUCCESS), SonarQube Quality Gate passed (0 new issues, 0 security hotspots), CodeRabbit SUCCESS.

Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review.

@github-actions

Copy link
Copy Markdown
Contributor

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Collaborator Author

Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead.

@don-petry don-petry closed this Jun 2, 2026
auto-merge was automatically disabled June 2, 2026 12:14

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: non-stub-dependency-audit.yml

3 participants