ci: pin claude-code-reusable workflow to SHA#99
Conversation
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 36 minutes and 37 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Self-review: the change is a single-line replacement in @don-petry — no CODEOWNERS file found, so tagging you as the repo owner to review and merge. |
|
There was a problem hiding this comment.
Pull request overview
Pins the org-level Claude Code reusable workflow reference in this repo to an immutable commit SHA to satisfy the organization’s action-pinning compliance policy (Issue #84).
Changes:
- Update
.github/workflows/claude.ymlto replace@v1with the exact commit SHA (208ec2d69b75227d375edf8745d84fbac05a76b2) and keep a# v1hint for readability.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| jobs: | ||
| claude-code: | ||
| uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@v1 | ||
| uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@208ec2d69b75227d375edf8745d84fbac05a76b2 # v1 |
There was a problem hiding this comment.
The header comment says editors "MUST NOT change ... the uses: line", but this workflow now intentionally changes the uses: ref to satisfy action pinning. Consider updating that guidance to clarify that the reusable workflow path must stay the same, but the ref may be updated (e.g., from a tag to a pinned SHA) for compliance/version bumps.
don-petry
left a comment
There was a problem hiding this comment.
Automated review — APPROVED
Risk: LOW
Reviewed commit: ced7531e494cd59d7e51a60c77f47282123cc712
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)
Summary
This PR pins a reusable workflow reference from a floating @v1 tag to an immutable commit SHA, directly satisfying the org's action-pinning policy (issue #84). All CI checks pass (CodeQL, SonarCloud, AgentShield). The only minor caveat is that the pinned SHA cannot be independently verified from this repo context, but the pre-existing secrets: inherit and permissions configuration are unchanged and CodeQL found no issues.
Findings
Info
ℹ.github/workflows/claude.yml:39— SHA 208ec2d69b75227d375edf8745d84fbac05a76b2 cannot be independently verified to correspond to the v1 tag of petry-projects/.github — a human reviewer with access to that repo should confirm before merge.ℹ.github/workflows/claude.yml:40— Pre-existingsecrets: inheritpasses all repository secrets to the reusable workflow; this is not new in this PR but worth noting as a standing configuration concern.
CI status
All CI checks pass (CodeQL, SonarCloud, AgentShield).
Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.
|
Auto-rebase blocked — the base branch contains Please rebase this branch manually: |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: ced7531e494cd59d7e51a60c77f47282123cc712
Review mode: triage-approved (single reviewer)
Summary
Single-line change in .github/workflows/claude.yml pins the petry-projects/.github reusable workflow reference from a floating @v1 tag to its exact commit SHA (208ec2d69b75227d375edf8745d84fbac05a76b2), with a # v1 comment for readability. This directly resolves compliance issue #84 (unpinned actions). No logic, permissions, or secrets configuration changes.
Linked issue analysis
- #84 (Compliance: unpinned-actions-claude.yml) — Fully addressed. The compliance audit flagged
claude.ymlfor using an unpinned@v1tag; this PR pins it to an immutable SHA.
Findings
No blocking findings.
ℹ.github/workflows/claude.yml:39— The pinned SHA208ec2d6...should be verified by a human with access topetry-projects/.githubto confirm it corresponds to thev1tag. (Informational; carried forward from prior cascade review.)ℹ.github/workflows/claude.yml:40— Pre-existingsecrets: inheritpasses all repo secrets to the reusable workflow. Unchanged by this PR but worth noting as standing configuration.ℹBranch is behindmainand auto-rebase was blocked due toworkflowspermission scope — manual rebase required before merge.
CI status
All checks passed: CodeQL ✓, SonarCloud ✓, AgentShield ✓, CodeRabbit ✓, Dependency audit (skipped — no relevant ecosystems detected).
Reviewed automatically by the don-petry PR-review agent (single-reviewer mode: opus 4.6). Reply with @don-petry if you need a human.
|
@claude Please address all open review comments on this PR from CodeRabbit and Copilot. |
|
Claude encountered an error —— View job I'll analyze this and get back to you. |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
@dev-lead - please fix this PR |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: ced7531e494cd59d7e51a60c77f47282123cc712
Review mode: triage-approved (single reviewer)
Summary
Single-line change in .github/workflows/claude.yml pins the petry-projects/.github reusable workflow reference from the floating @v1 tag to its exact commit SHA (208ec2d69b75227d375edf8745d84fbac05a76b2), with a # v1 trailing comment for readability. This directly closes compliance issue #84 (unpinned-actions-claude.yml). No permissions, secrets, or logic changes — the change strictly tightens supply-chain posture, so triage's low-risk assessment is correct.
Linked issue analysis
- #84 (Compliance: unpinned-actions-claude.yml) — Fully addressed. The compliance audit flagged
claude.ymlfor using an unpinned@v1tag; this PR pins it to an immutable SHA per the action-pinning standard.
Findings
No blocking findings.
ℹ.github/workflows/claude.yml:39— The pinned SHA208ec2d6...cannot be independently verified from this repo's context to correspond to thev1tag ofpetry-projects/.github. Recommend a human with access to that repo confirm before merge. (Informational; carried forward from prior reviews.)ℹ.github/workflows/claude.yml:40— Pre-existingsecrets: inheritpasses all repo secrets to the reusable workflow. Unchanged by this PR, but worth flagging as a standing configuration consideration.⚠Branch is behindmainwithmergeStateStatus: DIRTY/mergeable: CONFLICTING. Auto-rebase has been blocked repeatedly due toworkflowspermission scope. Manual rebase required before merge — this approval applies to the change itself, not to the merge readiness of the branch.
CI status
All checks passed: CodeQL ✓, SonarCloud ✓ (Quality Gate, 0 new issues), AgentShield ✓, CodeRabbit ✓. Dependency audit jobs skipped (no relevant ecosystems detected in this workflow-only diff).
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
Superseded by automated re-review at ced7531.
Automated review — human attention neededThis PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops. Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the Posted by the donpetry-bot PR-review cascade. |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead. |
Pull request was closed



Summary
petry-projects/.github/.github/workflows/claude-code-reusable.ymlfrom@v1to its exact commit SHA (208ec2d69b75227d375edf8745d84fbac05a76b2 # v1) to satisfy the org action-pinning policy.Changes
.github/workflows/claude.yml: replaces@v1tag reference with the pinned SHA, with# v1comment for readability.Closes #84
Generated with Claude Code