Skip to content

ci: pin claude-code-reusable workflow to SHA#99

Closed
don-petry wants to merge 1 commit into
mainfrom
claude/issue-84-20260414-1235
Closed

ci: pin claude-code-reusable workflow to SHA#99
don-petry wants to merge 1 commit into
mainfrom
claude/issue-84-20260414-1235

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Summary

  • Pins petry-projects/.github/.github/workflows/claude-code-reusable.yml from @v1 to its exact commit SHA (208ec2d69b75227d375edf8745d84fbac05a76b2 # v1) to satisfy the org action-pinning policy.

Changes

  • .github/workflows/claude.yml: replaces @v1 tag reference with the pinned SHA, with # v1 comment for readability.

Closes #84

Generated with Claude Code

Pin petry-projects/.github/.github/workflows/claude-code-reusable.yml
from @v1 to its exact commit SHA to satisfy the action-pinning policy.

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 14, 2026 12:36
@coderabbitai

coderabbitai Bot commented Apr 14, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 36 minutes and 37 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 36 minutes and 37 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 20466002-50c7-4287-86a3-5861ba417648

📥 Commits

Reviewing files that changed from the base of the PR and between 4235652 and ced7531.

📒 Files selected for processing (1)
  • .github/workflows/claude.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-84-20260414-1235

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Contributor Author

Self-review: the change is a single-line replacement in .github/workflows/claude.yml — swapping the floating @v1 tag for its resolved commit SHA 208ec2d69b75227d375edf8745d84fbac05a76b2 with a # v1 comment so the version remains human-readable. No logic changes; no other files affected.

@don-petry — no CODEOWNERS file found, so tagging you as the repo owner to review and merge.

@sonarqubecloud

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins the org-level Claude Code reusable workflow reference in this repo to an immutable commit SHA to satisfy the organization’s action-pinning compliance policy (Issue #84).

Changes:

  • Update .github/workflows/claude.yml to replace @v1 with the exact commit SHA (208ec2d69b75227d375edf8745d84fbac05a76b2) and keep a # v1 hint for readability.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

jobs:
claude-code:
uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@v1
uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@208ec2d69b75227d375edf8745d84fbac05a76b2 # v1

Copilot AI Apr 14, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The header comment says editors "MUST NOT change ... the uses: line", but this workflow now intentionally changes the uses: ref to satisfy action pinning. Consider updating that guidance to clarify that the reusable workflow path must stay the same, but the ref may be updated (e.g., from a tag to a pinned SHA) for compliance/version bumps.

Copilot uses AI. Check for mistakes.

@don-petry don-petry left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED

Risk: LOW
Reviewed commit: ced7531e494cd59d7e51a60c77f47282123cc712
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

This PR pins a reusable workflow reference from a floating @v1 tag to an immutable commit SHA, directly satisfying the org's action-pinning policy (issue #84). All CI checks pass (CodeQL, SonarCloud, AgentShield). The only minor caveat is that the pinned SHA cannot be independently verified from this repo context, but the pre-existing secrets: inherit and permissions configuration are unchanged and CodeQL found no issues.

Findings

Info

  • .github/workflows/claude.yml:39 — SHA 208ec2d69b75227d375edf8745d84fbac05a76b2 cannot be independently verified to correspond to the v1 tag of petry-projects/.github — a human reviewer with access to that repo should confirm before merge.
  • .github/workflows/claude.yml:40 — Pre-existing secrets: inherit passes all repository secrets to the reusable workflow; this is not new in this PR but worth noting as a standing configuration concern.

CI status

All CI checks pass (CodeQL, SonarCloud, AgentShield).


Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

@don-petry don-petry enabled auto-merge (squash) April 16, 2026 23:35
@github-actions

Copy link
Copy Markdown
Contributor

Auto-rebase blocked — the base branch contains .github/workflows/ changes that require the workflows permission to merge into this branch, but the auto-rebase workflow's token does not have that permission.

Please rebase this branch manually:

git fetch origin
git rebase origin/main
git push --force-with-lease

donpetry-bot
donpetry-bot previously approved these changes May 5, 2026

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: ced7531e494cd59d7e51a60c77f47282123cc712
Review mode: triage-approved (single reviewer)

Summary

Single-line change in .github/workflows/claude.yml pins the petry-projects/.github reusable workflow reference from a floating @v1 tag to its exact commit SHA (208ec2d69b75227d375edf8745d84fbac05a76b2), with a # v1 comment for readability. This directly resolves compliance issue #84 (unpinned actions). No logic, permissions, or secrets configuration changes.

Linked issue analysis

  • #84 (Compliance: unpinned-actions-claude.yml) — Fully addressed. The compliance audit flagged claude.yml for using an unpinned @v1 tag; this PR pins it to an immutable SHA.

Findings

No blocking findings.

  • .github/workflows/claude.yml:39 — The pinned SHA 208ec2d6... should be verified by a human with access to petry-projects/.github to confirm it corresponds to the v1 tag. (Informational; carried forward from prior cascade review.)
  • .github/workflows/claude.yml:40 — Pre-existing secrets: inherit passes all repo secrets to the reusable workflow. Unchanged by this PR but worth noting as standing configuration.
  • Branch is behind main and auto-rebase was blocked due to workflows permission scope — manual rebase required before merge.

CI status

All checks passed: CodeQL ✓, SonarCloud ✓, AgentShield ✓, CodeRabbit ✓, Dependency audit (skipped — no relevant ecosystems detected).


Reviewed automatically by the don-petry PR-review agent (single-reviewer mode: opus 4.6). Reply with @don-petry if you need a human.

@don-petry

Copy link
Copy Markdown
Contributor Author

@claude Please address all open review comments on this PR from CodeRabbit and Copilot.

@claude

claude Bot commented May 6, 2026

Copy link
Copy Markdown

Claude encountered an error —— View job


I'll analyze this and get back to you.

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

@dev-lead - please fix this PR

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: ced7531e494cd59d7e51a60c77f47282123cc712
Review mode: triage-approved (single reviewer)

Summary

Single-line change in .github/workflows/claude.yml pins the petry-projects/.github reusable workflow reference from the floating @v1 tag to its exact commit SHA (208ec2d69b75227d375edf8745d84fbac05a76b2), with a # v1 trailing comment for readability. This directly closes compliance issue #84 (unpinned-actions-claude.yml). No permissions, secrets, or logic changes — the change strictly tightens supply-chain posture, so triage's low-risk assessment is correct.

Linked issue analysis

  • #84 (Compliance: unpinned-actions-claude.yml) — Fully addressed. The compliance audit flagged claude.yml for using an unpinned @v1 tag; this PR pins it to an immutable SHA per the action-pinning standard.

Findings

No blocking findings.

  • .github/workflows/claude.yml:39 — The pinned SHA 208ec2d6... cannot be independently verified from this repo's context to correspond to the v1 tag of petry-projects/.github. Recommend a human with access to that repo confirm before merge. (Informational; carried forward from prior reviews.)
  • .github/workflows/claude.yml:40 — Pre-existing secrets: inherit passes all repo secrets to the reusable workflow. Unchanged by this PR, but worth flagging as a standing configuration consideration.
  • Branch is behind main with mergeStateStatus: DIRTY / mergeable: CONFLICTING. Auto-rebase has been blocked repeatedly due to workflows permission scope. Manual rebase required before merge — this approval applies to the change itself, not to the merge readiness of the branch.

CI status

All checks passed: CodeQL ✓, SonarCloud ✓ (Quality Gate, 0 new issues), AgentShield ✓, CodeRabbit ✓. Dependency audit jobs skipped (no relevant ecosystems detected in this workflow-only diff).


Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

@donpetry-bot donpetry-bot dismissed their stale review May 30, 2026 20:12

Superseded by automated re-review at ced7531.

@donpetry-bot

Copy link
Copy Markdown
Contributor

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

@donpetry-bot donpetry-bot requested a review from a team May 30, 2026 20:27
@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead.

@don-petry don-petry closed this Jun 2, 2026
auto-merge was automatically disabled June 2, 2026 12:20

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: unpinned-actions-claude.yml

3 participants