fix: exempt internal reusable workflow refs from action-pinning check

.github/workflows/agent-shield-reusable.yml

@@ -47,7 +47,7 @@ jobs:
     name: AgentShield
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       # --- Deep security scan via AgentShield CLI ---
       # Uses ecc-agentshield (https://github.com/affaan-m/agentshield)

.github/workflows/ci.yml

@@ -22,7 +22,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Lint Markdown
         uses: DavidAnson/markdownlint-cli2-action@ded1f9488f68a970bc66ea5619e13e9b52e601cd # v23.2.0
@@ -72,7 +72,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Run ShellCheck
         run: |
@@ -92,7 +92,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
@@ -109,7 +109,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout (full history)
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
 

.github/workflows/compliance-audit-and-improvement.yml

@@ -4,7 +4,7 @@
 # Job 3: Claude analyzes both datasets in six phases:
 #   Phase 1-3: Load data, categorize findings, research root causes.
 #   Phase 4: Evaluate against industry best practices & emerging capabilities.
-#   Phase 5: Create actionable issues per repo (dev-lead label for agent pickup).
+#   Phase 5: Create actionable issues per repo (claude label for agent pickup).
 #   Phase 6: Summary report.
 # Standard: https://github.com/${{ github.repository_owner }}/.github/tree/main/standards
 name: Org Standards Compliance Audit
@@ -52,11 +52,10 @@ jobs:
       repos_with_findings: ${{ steps.audit.outputs.repos_with_findings }}
       issues_added: ${{ steps.audit.outputs.issues_added }}
       issues_existing: ${{ steps.audit.outputs.issues_existing }}
-      issues_retriggered: ${{ steps.audit.outputs.issues_retriggered }}
       issues_removed: ${{ steps.audit.outputs.issues_removed }}
     steps:
       - name: Checkout .github repo
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Run compliance audit
         id: audit
@@ -84,14 +83,12 @@ jobs:
           if [ -f "$COUNTS_FILE" ]; then
             ISSUES_ADDED=$(jq '.added' "$COUNTS_FILE")
             ISSUES_EXISTING=$(jq '.existing' "$COUNTS_FILE")
-            ISSUES_RETRIGGERED=$(jq '.retriggered // 0' "$COUNTS_FILE")
             ISSUES_REMOVED=$(jq '.removed' "$COUNTS_FILE")
           else
-            ISSUES_ADDED=0; ISSUES_EXISTING=0; ISSUES_RETRIGGERED=0; ISSUES_REMOVED=0
+            ISSUES_ADDED=0; ISSUES_EXISTING=0; ISSUES_REMOVED=0
           fi
           echo "issues_added=$ISSUES_ADDED" >> "$GITHUB_OUTPUT"
           echo "issues_existing=$ISSUES_EXISTING" >> "$GITHUB_OUTPUT"
-          echo "issues_retriggered=$ISSUES_RETRIGGERED" >> "$GITHUB_OUTPUT"
           echo "issues_removed=$ISSUES_REMOVED" >> "$GITHUB_OUTPUT"
 
       - name: Write step summary
@@ -276,7 +273,7 @@ jobs:
 
   # -----------------------------------------------------------------------
   # Job 3: Combined analysis — Claude reviews both datasets
-  # Creates actionable issues in the appropriate repo with the dev-lead label.
+  # Creates actionable issues in the appropriate repo with the claude label.
   # -----------------------------------------------------------------------
   analyze:
     name: Analyze & Create Issues (Claude)
@@ -290,7 +287,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout .github repo
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Download compliance audit report
         if: needs.audit.result == 'success'
@@ -310,7 +307,7 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.ORG_SCORECARD_TOKEN }}
           DRY_RUN: ${{ inputs.dry_run || 'false' }}
-        uses: anthropics/claude-code-action@787c5a0ce96a9a6cfb050ea0c8f4c05f2447c251 # v1
+        uses: anthropics/claude-code-action@51ea8ea73a139f2a74ff649e3092c25a904aed7e # v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           prompt: |
@@ -335,7 +332,6 @@ jobs:
             - Repos with findings: ${{ needs.audit.outputs.repos_with_findings }}
             - Issues added (new): ${{ needs.audit.outputs.issues_added }}
             - Issues existing (updated): ${{ needs.audit.outputs.issues_existing }}
-            - Issues re-triggered (dev-lead re-engaged on persistent findings): ${{ needs.audit.outputs.issues_retriggered }}
             - Issues removed (resolved): ${{ needs.audit.outputs.issues_removed }}
 
             ### Health Survey (runtime telemetry)
@@ -449,7 +445,7 @@ jobs:
             exclusively **proposed new or improved standards** for the org. For each top
             opportunity (max 2-3), create a standards proposal issue in `${{ github.repository_owner }}/.github`:
             - Title: `Standards: <concise description of the proposed standard>`
-            - Labels: `dev-lead,enhancement`
+            - Labels: `claude,enhancement`
             - Body must include:
               - **Proposed Standard** — the specific policy, workflow, or configuration to adopt
               - **Rationale** — why this matters, linked to the feasibility/impact/urgency assessment
@@ -465,10 +461,10 @@ jobs:
             - Issues affecting multiple repos or org-wide concerns go in `${{ github.repository_owner }}/.github`
             - Standards improvement proposals go in `${{ github.repository_owner }}/.github`
 
-            **IMPORTANT: Every issue MUST have the `dev-lead` label** so it gets picked up for implementation.
-            Ensure the `dev-lead` label exists in the target repo before creating the issue:
+            **IMPORTANT: Every issue MUST have the `claude` label** so it gets picked up for implementation.
+            Ensure the `claude` label exists in the target repo before creating the issue:
             ```bash
-            gh label create dev-lead --repo ${{ github.repository_owner }}/<repo> --color "8B5CF6" --description "For dev-lead agent pickup" 2>/dev/null || true
+            gh label create claude --repo ${{ github.repository_owner }}/<repo> --color "8B5CF6" --description "For Claude agent pickup" 2>/dev/null || true
             ```
 
             Additional labels by type: `bug`, `security`, `ci`, `automation`, `enhancement`, `documentation`
@@ -481,7 +477,7 @@ jobs:
             ```bash
             gh issue create --repo ${{ github.repository_owner }}/<target-repo> \
               --title "<severity prefix>: <concise title>" \
-              --label "dev-lead,<other-labels>" \
+              --label "claude,<other-labels>" \
               --body "<structured body>"
             ```
 
@@ -517,9 +513,9 @@ jobs:
               per-repo issues; your job is to identify systemic patterns and create higher-level
               issues for them.
             - If a similar issue exists, add a comment with latest findings instead
-            - When commenting on existing issues, also ensure the `dev-lead` label is present:
+            - When commenting on existing issues, also ensure the `claude` label is present:
               ```bash
-              gh issue edit <number> --repo ${{ github.repository_owner }}/<repo> --add-label dev-lead
+              gh issue edit <number> --repo ${{ github.repository_owner }}/<repo> --add-label claude
               ```
 
             **Before writing the Phase 6 summary**, gather linked PR data for all issues you
@@ -560,7 +556,6 @@ jobs:
             |--------|-------|
             | Added (new) | ${{ needs.audit.outputs.issues_added }} |
             | Existing (updated) | ${{ needs.audit.outputs.issues_existing }} |
-            | Re-triggered (dev-lead re-engaged) | ${{ needs.audit.outputs.issues_retriggered }} |
             | Removed (resolved) | ${{ needs.audit.outputs.issues_removed }} |
 
             Group by compliance issue type — one subsection per distinct check/finding type,
@@ -602,9 +597,9 @@ jobs:
             ## Rules
 
             - **Do not fix code or push changes.** Analysis and issue creation only.
-            - **Do not close or modify existing issues** beyond adding the `dev-lead` label.
+            - **Do not close or modify existing issues** beyond adding the `claude` label.
             - **Do not create PRs.** Only create issues with actionable recommendations.
-            - **Every issue gets the `dev-lead` label.** No exceptions.
+            - **Every issue gets the `claude` label.** No exceptions.
             - **Repo-specific issues go in that repo.** Org-wide issues go in `.github`.
             - **Be specific.** Include run IDs, URLs, and exact error messages.
             - **Deduplicate aggressively.** One well-written issue beats five vague ones.

.github/workflows/compliance-retrigger.yml

@@ -37,7 +37,7 @@ jobs:
 
     steps:
       - name: Checkout .github repo
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Re-trigger stale compliance issues
         run: bash scripts/compliance-retrigger.sh

.github/workflows/daily-org-status.yml

@@ -17,13 +17,25 @@ jobs:
       contents: read
 
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
+        with:
+          node-version: '20'
+
+      - name: Install Claude Code CLI
+        run: |
+          # --ignore-scripts prevents npm from auto-running lifecycle scripts (avoids SonarCloud S6476 hotspot).
+          # install.cjs is the postinstall step that downloads the claude native binary — required for the CLI.
+          npm install -g --ignore-scripts @anthropic-ai/claude-code@2.1.132
+          node "$(npm root -g)/@anthropic-ai/claude-code/install.cjs"
 
       - name: Generate org status report
         env:
           GH_TOKEN: ${{ secrets.GH_PAT_WORKFLOWS }}
+          CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
         run: |
-          chmod +x scripts/org_status.sh scripts/org_report.sh
+          chmod +x scripts/org_status.sh
           bash scripts/org_status.sh > /tmp/report.md
           [ -s /tmp/report.md ] || { echo "Report is empty — aborting"; exit 1; }
 

.github/workflows/dependabot-rebase-reusable.yml

@@ -94,13 +94,8 @@ jobs:
           MERGED=false
 
           while IFS=' ' read -r PR_NUMBER HEAD_REF; do
-            # Branch may be transiently unavailable (race: PR list fetched before
-            # branch delete propagates). Skip gracefully instead of crashing.
-            if ! BEHIND=$(gh api "repos/$REPO/compare/main...$HEAD_REF" \
-              --jq '.behind_by' 2>/dev/null); then
-              echo "  Skipping PR #$PR_NUMBER — branch $HEAD_REF not found, skipping"
-              continue
-            fi
+            BEHIND=$(gh api "repos/$REPO/compare/main...$HEAD_REF" \
+              --jq '.behind_by')
 
             if [[ "$BEHIND" -gt 0 ]]; then
               echo "PR #$PR_NUMBER ($HEAD_REF) is $BEHIND commit(s) behind — updating branch"

.github/workflows/dependency-audit-reusable.yml

@@ -27,7 +27,7 @@ jobs:
       cargo: ${{ steps.check.outputs.cargo }}
       pip: ${{ steps.check.outputs.pip }}
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Detect package ecosystems
         id: check
@@ -74,7 +74,7 @@ jobs:
     if: needs.detect.outputs.npm == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
@@ -99,7 +99,7 @@ jobs:
     if: needs.detect.outputs.pnpm == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
 
@@ -126,7 +126,7 @@ jobs:
     if: needs.detect.outputs.gomod == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5
         with:
@@ -153,7 +153,7 @@ jobs:
     if: needs.detect.outputs.cargo == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Rust stable toolchain
         run: rustup toolchain install stable --profile minimal
@@ -222,7 +222,7 @@ jobs:
     if: needs.detect.outputs.pip == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:

.github/workflows/dependency-audit.yml

@@ -31,7 +31,7 @@ jobs:
       cargo: ${{ steps.check.outputs.cargo }}
       pip: ${{ steps.check.outputs.pip }}
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
 
       - name: Detect package ecosystems
         id: check
@@ -78,7 +78,7 @@ jobs:
     if: needs.detect.outputs.npm == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
@@ -103,7 +103,7 @@ jobs:
     if: needs.detect.outputs.pnpm == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
 
       - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v4
 
@@ -130,7 +130,7 @@ jobs:
     if: needs.detect.outputs.gomod == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
 
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5
         with:
@@ -157,7 +157,7 @@ jobs:
     if: needs.detect.outputs.cargo == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
 
       - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
 
@@ -184,7 +184,7 @@ jobs:
     if: needs.detect.outputs.pip == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
 
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:

.github/workflows/dev-lead.yml

@@ -37,9 +37,15 @@ on:
 
 permissions: {}
 
-# Concurrency is centralised in the reusable workflow (dev-lead-reusable.yml) with
-# per-issue / per-PR lanes, so issue pickups are never cancelled by PR follow-up
-# traffic and the grouping can't drift per-repo. See petry-projects/.github#402.
+concurrency:
+  # One active run per repo; ci-relay (check_run) keeps an ephemeral per-SHA slot
+  # so it can fire immediately without blocking or being blocked by the dispatch queue.
+  group: >-
+    ${{
+      github.event_name == 'check_run' && format('dev-lead-ci-relay-{0}', github.event.check_run.head_sha) ||
+      'dev-lead'
+    }}
+  cancel-in-progress: false
 
 jobs:
   dev-lead:
@@ -51,4 +57,3 @@ jobs:
       issues: write
       actions: read
       checks: read
-      statuses: read   # required by dev-lead-reusable.yml since #435