fix(claude-code): wire agentic responses to trusted bot reviews and CI failures#292
Open
don-petry wants to merge 75 commits into
Open
fix(claude-code): wire agentic responses to trusted bot reviews and CI failures#292don-petry wants to merge 75 commits into
don-petry wants to merge 75 commits into
Conversation
|
Warning Review limit reached
More reviews will be available in 16 minutes and 42 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more credits in the billing tab to continue. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (4)
📝 WalkthroughWalkthroughMigrates CI-failure handling from check_run to workflow_run, adds multiple bot-driven remediation jobs (review-comment fixer, PR-review fixer, bot-comment fixer, issue-driven PRs, rebase handler), updates the reusable workflow interface, standards docs, and removes an ChangesClaude Code Automation Refactor and Expansion
Sequence DiagramsequenceDiagram
participant GitHub as GitHub Events
participant ReusableWF as claude-code-reusable.yml
participant Claude as anthropics/claude-code-action
participant Repo as Repository
GitHub->>ReusableWF: workflow_run (failure)
GitHub->>ReusableWF: pull_request_review
GitHub->>ReusableWF: issue_comment
GitHub->>ReusableWF: issues
GitHub->>ReusableWF: pull_request_review_comment
ReusableWF->>Claude: start claude-ci-fix / claude-fix-pr-reviews / claude-fix-bot-comments / claude-issue / claude-rebase
Claude->>Repo: checkout PR branch using pull_requests[0].number and head SHA
Claude->>Repo: inspect logs and workflow_run details
Claude->>Repo: fetch GraphQL review threads
Claude->>Repo: attempt fixes and push changes
Claude->>Repo: resolve review threads or create PR
Claude->>Repo: post summary comment
Claude->>ReusableWF: poll CI status (gh run view / workflow_run) until green or fail
Estimated Code Review Effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly Related Issues
Possibly Related PRs
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
5 tasks
Contributor
Author
|
The PR is ready for review. @petry-projects/org-leads — please review and merge when CI is green. What this fixes:
Required follow-up per adopting repo: Update each repo's |
Contributor
There was a problem hiding this comment.
Pull request overview
Wires up automated Claude responses for cases that were previously silently dropped: bot-authored PR reviews, bot-authored PR comments from external CI tools (NONE author_association), and CI failures (since check_run is unsupported by claude-code-action).
Changes:
- Replaces the broken
check_runtrigger/job with aworkflow_run-basedclaude-ci-fixflow, removing the runtime fork-check shell step in favor of anif:gate. - Adds two new reusable jobs:
claude-fix-pr-reviews(top-levelpull_request_reviewfrom Copilot/Gemini/CodeRabbit) andclaude-fix-bot-comments(issue_commentfrom SonarCloud/CodeRabbit) usingallowed_bots. - Updates standard template triggers and
ci-standards.mdto describe the five-job layout.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.github/workflows/claude-code-reusable.yml |
Rewrites claude-ci-fix for workflow_run and adds bot review/comment jobs. |
standards/workflows/claude.yml |
Swaps check_run for workflow_run and adds pull_request_review trigger. |
standards/ci-standards.md |
Documents the new job set and updated trigger requirements. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates the Claude CI standards and workflow template to expand automation capabilities. It replaces the check_run trigger with workflow_run for CI failure responses and introduces two new jobs, claude-fix-pr-reviews and claude-fix-bot-comments, to handle feedback from AI reviewer bots and external CI tools. Corresponding documentation and the example workflow configuration have been updated to reflect these changes. I have no feedback to provide.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bf44722498
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # The reusable workflow's claude-ci-fix job only acts on failures that | ||
| # are associated with an open same-repo PR — push-to-main runs are | ||
| # ignored automatically. | ||
| workflows: ["CI", "SonarCloud Analysis", "build-and-test"] |
There was a problem hiding this comment.
The caller stub is still documented as an immutable file to adopt verbatim, but this new workflow_run filter only fires for workflows whose name: is exactly one of these three strings. Repos whose CI workflow is named differently will copy the standard and silently lose claude-ci-fix coverage, because GitHub only triggers workflow_run for the names listed here; this needs a repo-specific generation path or a non-misleading placeholder instead of fixed defaults.
Useful? React with 👍 / 👎.
Contributor
Author
There was a problem hiding this comment.
Deferring to broader standards work: This reusable workflow is designed to be platform-agnostic. Caller workflows in individual repos should define their own workflow_run filters. Documentation will be added to ci-standards.md to clarify that callers must specify their repo-specific workflow names.
Contributor
Author
There was a problem hiding this comment.
Added a callout to the claude-ci-fix job description in standards/ci-standards.md (in the deprecated claude.yml section) explicitly noting that the example workflow names (CI, SonarCloud Analysis, build-and-test) in standards/workflows/claude.yml are illustrative — callers must replace them with the actual name: field values from their workflows, and that mismatched names silently prevent the job from firing.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c826ad3be3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 484897a3b2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
+158
to
+161
| github.event_name == 'workflow_run' && | ||
| github.event.workflow_run.conclusion == 'failure' && | ||
| github.event.workflow_run.pull_requests[0] != null && | ||
| github.event.workflow_run.pull_requests[0].head.repo.full_name == github.repository |
There was a problem hiding this comment.
In the current repository, .github/workflows/claude.yml still calls this reusable workflow from only pull_request, issue_comment, pull_request_review_comment, issues, and check_run events; it does not declare workflow_run. After this condition was changed from check_run to workflow_run, the dogfood caller will never pass a CI-failure event into claude-ci-fix, so CI-failure automation stops working for this repo until the caller is updated alongside the reusable.
Useful? React with 👍 / 👎.
Contributor
Author
There was a problem hiding this comment.
This is a caller workflow concern (not in scope for the reusable). When '.github/workflows/claude.yml' is created in this repo, it will need to include workflow_run trigger with repo-specific workflow names.
Comment on lines
+213
to
+219
| github.event_name == 'pull_request_review' && | ||
| github.event.review.state != 'APPROVED' && | ||
| github.event.pull_request.head.repo.full_name == github.repository && | ||
| contains( | ||
| fromJson('["copilot-pull-request-reviewer[bot]","gemini-code-assist[bot]","coderabbitai[bot]"]'), | ||
| github.event.review.user.login | ||
| ) |
There was a problem hiding this comment.
This new job can only run when the caller workflow is triggered by pull_request_review, but the repository’s own .github/workflows/claude.yml still has no pull_request_review event, so top-level Copilot/Gemini/CodeRabbit reviews on this repo will never reach the reusable workflow. Update the dogfood caller at the same time as adding this handler, otherwise the automation being introduced here is inert for this repository.
Useful? React with 👍 / 👎.
Contributor
Author
There was a problem hiding this comment.
This is a caller workflow concern (not in scope for the reusable). When '.github/workflows/claude.yml' is added to this repo, it will need to include pull_request_review trigger.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 484897a3b2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| github.event_name == 'check_run' && | ||
| github.event.check_run.conclusion == 'failure' && | ||
| !startsWith(github.event.check_run.name, 'claude-code / ') | ||
| github.event_name == 'workflow_run' && |
There was a problem hiding this comment.
In this repo I checked the actual caller .github/workflows/claude.yml, and it still only subscribes to check_run plus the older PR/comment events; it does not trigger on workflow_run or pull_request_review. After this condition switches claude-ci-fix to require workflow_run, the central repo's existing caller will invoke the reusable workflow on check_run events where this job is always skipped, so CI-failure fixing stops working here until the live caller is updated or the reusable keeps a migration path for check_run.
Useful? React with 👍 / 👎.
Contributor
Author
There was a problem hiding this comment.
This is a caller workflow concern (not in scope for the reusable). Documentation work to clarify that callers must include workflow_run trigger.
Contributor
Author
There was a problem hiding this comment.
Added a callout to the claude-ci-fix job description in standards/ci-standards.md explicitly noting that the example workflow names in the template are illustrative — callers must replace them with their repo's actual workflow name: values; mismatched names silently prevent claude-ci-fix from firing. This directly addresses the documentation gap noted here.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b77911707d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
+369
to
+370
| pull_request_review: # enables claude-fix-pr-reviews — do not remove | ||
| types: [submitted] |
There was a problem hiding this comment.
In this Standard configuration snippet, adding pull_request_review does not actually enable claude-fix-pr-reviews: the jobs shown below are still the old inline claude/claude-issue jobs, and the claude job's if only handles pull_request, issue_comment, and pull_request_review_comment. Repos that copy this block instead of the separate reusable stub will subscribe to top-level bot reviews but run no fixer for them, so the new Copilot/Gemini/CodeRabbit review automation remains inert in those repos.
Useful? React with 👍 / 👎.
Contributor
Author
There was a problem hiding this comment.
This is a documentation/standards concern (not in scope for the reusable workflow itself). The ci-standards.md standard configuration example needs to show the updated jobs that include claude-fix-pr-reviews.
Contributor
Author
There was a problem hiding this comment.
Added the three missing jobs (claude-ci-fix, claude-fix-pr-reviews, claude-fix-bot-comments) to the archived configuration YAML in standards/ci-standards.md. The archived config now shows all five jobs with their correct if conditions, concurrency groups, permissions, and prompt content — including the pull_request_review handler for Copilot/Gemini/CodeRabbit. Repos referencing this block will now see a complete configuration.
Contributor
Author
There was a problem hiding this comment.
Added the three missing jobs to the archived configuration YAML in standards/ci-standards.md. The block now shows all five jobs — claude, claude-issue, claude-ci-fix, claude-fix-pr-reviews, and claude-fix-bot-comments — with correct if conditions, concurrency groups, permissions, and prompt content matching the reusable workflow. The pull_request_review handler for Copilot/Gemini/CodeRabbit and the workflow_run CI-failure handler are both present, so repos referencing this block now see a complete, consistent five-job configuration.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8cf94b2b0b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Contributor
Superseded by automated re-review at
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/claude-code-reusable.yml:
- Around line 249-256: The prompt currently references "Follow the same cycle as
claude-fix-review-comments" which is not self-contained; replace that reference
in the prompt block with an explicit, minimal actionable cycle (e.g., checkout
PR, rebase to base branch, fetch unresolved review threads, apply fixes or reply
when human input is needed, commit & push changes as claude[bot], resolve
threads via GraphQL, wait for CI and repeat until green, then post a summary) so
Claude has all steps; update the prompt text that includes the variable
interpolations (the multi-line prompt under prompt: |) and ensure it names the
referenced job (claude-fix-review-comments) and then lists the concrete steps in
order so the workflow can run without external context.
- Around line 263-270: Add the same fork-safety PR ownership check to the
claude-fix-bot-comments job that exists in claude-ci-fix and
claude-fix-pr-reviews: insert an initial step (using actions/github-script@v7)
that calls the GitHub REST pulls.get for context.issue.number, then compare
pr.data.head.repo.full_name to context.repo.full_name and call
core.setFailed('Cannot run on fork') if they differ so the job aborts for PRs
coming from forks (this must run before any bot-allowlist logic that assumes
full repo access).
In `@standards/ci-standards.md`:
- Around line 383-385: The YAML example uses an invalid placeholder `workflows:
[...]`; update the `workflow_run` block to show a concrete, copy-pasteable
example by replacing `workflows: [...]` with a real list (e.g., `workflows:
['CI']` or a multi-line list with `- CI` and `- Build`) and keep a short inline
comment explaining to replace with the repo's workflow names; edit the
`workflow_run` section (reference symbol: workflow_run and key: workflows) so
the template is valid YAML and clearly actionable.
- Line 347: The inline CLI command gh run view --log-failed is not formatted as
code like other inline references; update the document text to wrap gh run view
--log-failed in inline code formatting (backticks) wherever it appears to match
the surrounding style and maintain consistency with other inline code examples.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: ba4cd741-33b9-4ef4-aa93-54c7d5bead70
📒 Files selected for processing (3)
.github/workflows/claude-code-reusable.ymlstandards/ci-standards.mdstandards/workflows/claude.yml
Contributor
Superseded by automated re-review at
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a4c4369246
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Contributor
Author
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Contributor
Author
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Contributor
Author
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Contributor
Author
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Contributor
Author
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Contributor
Author
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Contributor
Author
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Contributor
Author
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Contributor
Author
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Contributor
Review — fix requested (cycle 3/3)The automated review identified the following issues. Please address each one: Findings to fixAutomated review — NEEDS HUMAN REVIEWRisk: MEDIUM SummaryPR #292 replaces the broken check_run trigger with workflow_run and adds two new bot-driven automation jobs. CI is fully green and the workflow_run migration is sound, but three valid CodeRabbit findings remain unaddressed (missing fork-safety gate on claude-fix-bot-comments, vague cycle description in claude-fix-pr-reviews prompt, and an invalid YAML placeholder in ci-standards.md), and the branch has a merge conflict. No HIGH-severity security issues found — all secrets access patterns, pinned action SHAs, and fork-safety gates on the other two jobs are correct. Findings
Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.7). Reply if you need a human review. Additional tasks
The review cascade will automatically re-review after new commits are pushed. |
Contributor
Author
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
* feat: make pr-review-mention an org standard with reusable workflow - Extract all logic from pr-review-mention.yml into pr-review-mention-reusable.yml (org single source of truth) - Slim pr-review-mention.yml down to a thin caller stub (local ref pattern, matching auto-rebase.yml) - Add standards/workflows/pr-review-mention.yml canonical template for other repos (@v1 reference) - Add pr-review-mention.yml to REQUIRED_WORKFLOWS and centralized stub checks in compliance-audit.sh - Document in ci-standards.md: template table, required-workflow count (6→7), and §10 with full spec - Add scripts/deploy-standard-workflows.sh to push standard stubs to all org repos in one command Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix: remove unused counter vars (SC2034), add trailing newline to codeowners-standard Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix: address Gemini review comments on deploy-standard-workflows.sh - Fix claude.yml compliance check: derive uses: from template (not stem-reusable heuristic), so the claude→claude-code-reusable name exception is handled automatically - Combine two API calls (SHA + content) into one fetch_existing call with tab-split output - Fix base64 portability: try -w 0 (GNU), fall back to -b 0 (BSD/macOS) - Increase repo list limit to 500 for larger orgs - Remove unused counter variables (already fixed in prior commit; this replaces the old approach) Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix: address Copilot review comments - Declare GH_PAT_WORKFLOWS in workflow_call secrets block (matching other reusables) - Clarify fork-PR guard docs: only review_requested path excludes forks; comment triggers are base-repo-only by GitHub's event model, protected by trust check - Fix 'SHA' → 'tag' in standards/workflows/pr-review-mention.yml header comment - Add --no-archived to gh repo list in deploy script - Switch --field to --raw-field for content/sha/message to avoid form-encoding issues with base64's + and / characters Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…(18 fixes, 17 new tests) (#85) * test(feature-ideation): extract bash to scripts, add schema + 92 bats tests Refactors the reusable feature-ideation workflow's parsing surface from an inline 600-line YAML heredoc into testable scripts with deterministic contracts. Every defect that previously required post-merge review can now fail in CI before adopters notice. Why --- The prior reusable workflow used `2>/dev/null || echo '[]'` for every gh / GraphQL call, which silently downgraded auth failures, rate limits, network outages, and GraphQL schema drift to empty arrays. The pipeline would "succeed" while producing useless signals — and Mary's Discussion posts would silently degrade across every BMAD repo on the org. The prompt also instructed Mary to "use fuzzy matching" against existing Ideas Discussions in her head, which is non-deterministic and untestable. Risk register (probability × impact, scale 1–9): R1=9 swallow-all-errors gh wrapper R2=6 literal $() inside YAML direct prompt R3=6 no signals.json schema R4=6 jq --argjson crash on empty input R5=6 fuzzy match in Mary's prompt → duplicate Discussions R6=6 retry idempotency hole R7=6 GraphQL errors[]/null data not detected R8=4 GraphQL partial errors silently accepted R10=3 bot filter only catches dependabot/github-actions R11=4 pagination silently truncates What's new ---------- .github/scripts/feature-ideation/ collect-signals.sh Orchestrator (replaces inline heredoc) validate-signals.py JSON Schema 2020-12 validator match-discussions.sh Deterministic Jaccard matcher (kills R5/R6) discussion-mutations.sh create/comment/label wrappers + DRY_RUN mode lint-prompt.sh Catches unescaped $() / ${VAR} in prompt blocks lib/gh-safe.sh Defensive gh wrapper, fails loud on every documented failure mode (kills R1, R7, R8) lib/compose-signals.sh Validates JSON inputs before jq composition lib/filter-bots.sh Extensible bot author filter (kills R10) lib/date-utils.sh Cross-platform date helpers README.md Maintainer docs .github/schemas/signals.schema.json Pinned producer/consumer contract for signals.json (Draft 2020-12). CI rejects any drift; the runtime signals.json is also validated by the workflow before being handed to Mary. .github/workflows/feature-ideation-reusable.yml Rewritten. Adds a self-checkout of petry-projects/.github so the scripts above are available in the runner. Replaces inline bash with collect-signals.sh + validate-signals.py. Adds RUN_DATE / SIGNALS_PATH / PROPOSALS_PATH / MATCH_PLAN_PATH / TOOLING_DIR env vars passed to claude-code-action via env: instead of unescaped shell expansions in the prompt body. Adds dry_run input that flows through to discussion-mutations.sh, which logs every planned action to a JSONL audit log instead of executing — uploaded as the dry-run-log artifact. .github/workflows/feature-ideation-tests.yml New CI gate, path-filtered. Runs shellcheck, lint-prompt, schema fixture validation, and the full bats suite on every PR that touches the feature-ideation surface. standards/workflows/feature-ideation.yml Updated caller stub template. Adds dry_run workflow_dispatch input so adopters get safe smoke-testing for free. Existing TalkTerm caller stub continues to work unchanged (dry_run defaults to false). test/workflows/feature-ideation/ 92 bats tests across 9 suites. 14 GraphQL/REST response fixtures. 5 expected signals.json fixtures (3 valid + 2 INVALID for negative schema testing). Programmable gh PATH stub with single-call and multi-call modes for integration testing. | Suite | Tests | Risks closed | |-----------------------------|------:|--------------------| | gh-safe.bats | 19 | R1, R7, R8 | | compose-signals.bats | 8 | R3, R4 | | filter-bots.bats | 5 | R10 | | date-utils.bats | 7 | R9 | | collect-signals.bats | 14 | R1, R3, R4, R7, R11| | match-discussions.bats | 13 | R5, R6 | | discussion-mutations.bats | 10 | DRY_RUN contract | | lint-prompt.bats | 8 | R2 | | signals-schema.bats | 8 | R3 | | TOTAL | 92 | | Test results: 92 passing, 0 failing, 0 skipped. Run with: bats test/workflows/feature-ideation/ Backwards compatibility ----------------------- The reusable workflow's input surface is unchanged for existing callers (TalkTerm continues to work with no edits). The new dry_run input is optional and defaults to false. Adopters who copy the new standards caller stub get dry_run support automatically. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * test(feature-ideation): use bash -c instead of sh -c in env-extension test CI failure on the previous commit: 91/92 passing, 1 failing. The filter-bots env-extension test used `sh -c` to source filter-bots.sh in a sub-shell with FEATURE_IDEATION_BOT_AUTHORS set. On macOS this works because /bin/sh is bash. On Ubuntu (CI), /bin/sh is dash, which does not support `set -o pipefail`, so sourcing filter-bots.sh produced: sh: 12: set: Illegal option -o pipefail Fixed by switching to `bash -c`. All scripts already use `#!/usr/bin/env bash` shebangs; this is the only place a sub-shell was spawned via `sh`. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(feature-ideation): address Copilot review on PR #85 (11 fixes + 16 tests) Triaged 14 inline comments from Copilot's review of #85; two were already fixed by the tooling_ref→v1 commit, the remaining 11 are addressed here. Critical bug fixes ------------------ 1. lint-prompt.sh now scans claude-code-action v1 `prompt:` blocks in addition to v0 `direct_prompt:`. The reusable workflow uses `prompt:` so the linter was silently allowing R2 regressions on the very file it was supposed to protect. Added two regression tests covering both the v1 form and a clean v1 form passes. 2. add_label_to_discussion now sends labelIds as a proper JSON array via gh_safe_graphql_input (new helper). Previously used `gh -f labelIds=` which sent the literal string `["L_1"]` and the GraphQL API would have rejected the mutation at runtime. Added a test that captures gh's stdin and asserts the variables block contains a length-1 array. 3. validate-signals.py now registers a `date-time` format checker via FormatChecker so the `format: date-time` keyword in signals.schema.json is actually enforced. Draft202012Validator does NOT enforce formats by default, and the default FormatChecker omits date-time entirely. Used an inline checker (datetime.fromisoformat with Z normalisation) to avoid pulling in rfc3339-validator. Added two regression tests: one for an invalid timestamp failing, one for a clean timestamp passing. 4. gh_safe_graphql --jq path no longer swallows jq filter errors with `|| true`. Filter typos / wrong paths now exit non-zero instead of silently returning []. Added a regression test using a deliberately broken filter. 5. collect-signals.sh now computes the open-issue truncation warning BEFORE filter_bots_apply. Previously, a result set composed entirely of bots could drop below ISSUE_LIMIT after filtering and mask real truncation. Added an integration test with all-bot fixtures. 6. match-discussions.sh now validates MATCH_THRESHOLD as a non-negative number in [0, 1] before passing to Python. A typo previously surfaced as an opaque traceback. Added regression tests for non-numeric input, out-of-range input, and boundary values 0 and 1. Cleanup ------- 7. Removed dead bash `normalize_title` / `jaccard_similarity` functions from match-discussions.sh — the actual matching is implemented in the embedded Python block and the bash helpers were never called. 8. Schema $id corrected from petry-projects/TalkTerm/... to the canonical petry-projects/.github location. 9. signals-schema.bats "validator script exists and is executable" test now actually checks the `-x` bit (was only checking `-f` and `-r`). 10. README + filter-bots.sh comments now describe the bot list as a "blocklist" (it removes matching authors) instead of "allowlist". 11. test/workflows/feature-ideation/stubs/gh now logs argv with `printf '%q '` so each invocation is shell-quoted and re-parseable, matching its documentation. Previously logged `$*` which lost arg boundaries. New helper ---------- gh_safe_graphql_input — same defensive contract as gh_safe_graphql, but takes a fully-formed JSON request body via stdin instead of -f/-F flags. Use for mutations whose variables include arrays (e.g. labelIds: [ID!]!) that gh's flag-based interface cannot express. Five new tests cover its happy path and every documented failure mode. Tests ----- Test count: 92 → 108 (16 new regression tests, all green). Run with: bats test/workflows/feature-ideation/ Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(feature-ideation): address CodeRabbit review on PR #85 (7 fixes + 1 test) Triaged 13 inline comments from CodeRabbit's review of #85; 6 of them overlapped with Copilot's review and were already fixed by bcaa579. The remaining 7 are addressed here. Fixes ----- 1. lint-prompt.sh: ${VAR} branch lookbehind was inconsistent with the $(...) branch — only rejected $$VAR but not \${VAR}. Both branches now use [\\$] so backslash-escaped and dollar-escaped forms are skipped uniformly. 2. filter-bots.sh: FEATURE_IDEATION_BOT_AUTHORS CSV entries are now trimmed of leading/trailing whitespace before being added to the blocklist, so "bot1, bot2" matches both bots correctly instead of keeping a literal " bot2" entry. 3. validate-signals.py: malformed signals JSON now exits 2 (file/data error) to match the documented contract, instead of 1 (which means schema validation error). 4. README.md: corrected the workflow filename reference from feature-ideation.yml to feature-ideation-reusable.yml, and reworded the table cell that contained `\|\|` (escaped pipes that don't render correctly in some Markdown engines) to use plain prose. Also noted that lint-prompt scans both v0 `direct_prompt:` and v1 `prompt:`. 5. collect-signals.sh: added an explicit comment above SCHEMA_VERSION documenting the lockstep requirement with signals.schema.json's $comment version annotation. Backed by a new bats test that parses both files and asserts they match. 6. signals.schema.json: added $comment "version: 1.0.0" annotation so the schema file declares its own version explicitly. Used $comment instead of a custom keyword to keep Draft202012 compliance. 7. test/workflows/feature-ideation/match-discussions.bats: build_signals helper now computes the discussions count from the array length instead of hardcoding 0, so the fixture satisfies its own contract (cosmetic — the matcher only reads .items, but contract hygiene matters in test scaffolding). 8. test/workflows/feature-ideation/gh-safe.bats: removed the `|| true` suffix on the rest-failure assertion that made it always pass. Now uses --separate-stderr to capture stderr and asserts the structured `[gh-safe][rest-failure]` prefix is emitted on the auth failure path. Required `bats_require_minimum_version 1.5.0` to suppress the bats-core warning about flag usage. Tests ----- Test count: 108 → 109 (one new test for SCHEMA_VERSION ↔ schema sync). All 109 passing locally. Run with: bats test/workflows/feature-ideation/ Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(feature-ideation): address CodeRabbit re-review on PR #85 (15 fixes + 5 new tests) Critical/major: - collect-signals.sh: validate ISSUE_LIMIT/PR_LIMIT/DISCUSSION_LIMIT are positive integers; tighten REPO validation with strict ^[^/]+/[^/]+$ regex - compose-signals.sh: enforce array type (jq 'type == "array"') not just valid JSON so objects/strings don't silently produce wrong counts - date-utils.sh: guard $# before reading $1 to prevent set -u abort on zero-arg calls - filter-bots.sh: replace unquoted array expansion with IFS=',' read -r -a to prevent pathname-globbing against filesystem entries - gh-safe.sh: bounds-check args[i+1] before --jq dereference; add $# guard to gh_safe_graphql_input() to prevent nounset abort - lint-prompt.sh: recognise YAML chomping modifiers (|-,|+,>-,>+) in prompt_marker regex; replace [^}]* GH-expression stripper with a stateful scanner that handles nested braces; preserve exit-2 over exit-1 in main() - match-discussions.sh: wrap json.load calls in try/except for structured error exit-2 instead of Python traceback; skip discussions without an id; switch from greedy per-proposal to similarity-sorted global optimal matching - validate-signals.py: catch OSError on read_text() to preserve exit-2 contract; add -> bool return type annotation to _check_date_time Docs: - README.md: update lint command to mention both direct_prompt: and prompt:; fix Mary's prompt pointer to feature-ideation-reusable.yml Tests (+5 new, 109 → 114 total): - lint-prompt.bats: missing-file-before-lint-failing-file exits 2; YAML chomping modifiers detected; nested GH expressions don't false-positive - match-discussions.bats: malformed signals JSON exits non-zero; malformed proposals JSON exits non-zero - signals-schema.bats: truncated/malformed JSON exits 2 not 1 - date-utils.bats: use date_today helper instead of raw date -u - stubs/gh: prefer TT_TMP/BATS_TEST_TMPDIR for counter file isolation Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix(feature-ideation): simplify error-envelope check and harden gh stub Collapse the redundant outer+inner jq guard in gh_safe_graphql into the single-expression form already used by gh_safe_graphql_input, making both functions consistent. Add a fail-fast check to the gh stub so that setting GH_STUB_SCRIPT to a nonexistent path produces an immediate error instead of silently falling through to single-call mode and masking test misconfiguration. Add a bats test that pins the new behaviour. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…I failures - Replace check_run trigger with workflow_run in claude-ci-fix job. check_run is not a supported event type in claude-code-action; workflow_run is supported and provides pull_requests[0].number directly. Fork-safety is enforced via pull_requests[0].head.repo.full_name == github.repository. - Add claude-fix-pr-reviews job for pull_request_review events from trusted AI reviewer bots (Copilot, Gemini, CodeRabbit). Skips APPROVED reviews; acts on COMMENTED and CHANGES_REQUESTED. Uses allowed_bots to bypass the author_association guard that would otherwise skip bot actors. - Add claude-fix-bot-comments job for issue_comment events from trusted external CI tools (SonarCloud, CodeRabbit) on PRs. These bots have author_association NONE which causes the claude job to silently skip them. - Update standards/workflows/claude.yml template: replace check_run with workflow_run (with example workflow names) and add pull_request_review. Update header comment to list the new triggers. - Update standards/ci-standards.md: update standard config example, job descriptions, and compliance audit mention to reflect the new approach. Closes #291 Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
…ad.yml (#301) Deprecates claude.yml in ci-standards.md and promotes dev-lead.yml as the primary Tier 1 template. Makes §5 fully archival-only (removes links and converts operational instructions to historical reference) per CodeRabbit review feedback.
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...043fb46) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
…le (#152) * fix(ci): downgrade pnpm/action-setup to v5 in dependency-audit reusable The SHA 08c4be7e (mislabeled # v4) is actually pnpm/action-setup@v6.0.0, which bootstraps with pnpm v11.0.0-rc.0. pnpm v11-rc cannot parse lockfiles generated by pnpm v9 (lockfileVersion '9.0'), causing ERR_PNPM_BROKEN_LOCKFILE in all repos still on pnpm v9. Pinning to action-setup@v5.0.0 (fc06bc1), which installs pnpm via npm directly with no v11 bootstrap, restoring compatibility with pnpm v9. * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
… loop (#220) * feat: add compliance-remediate.sh — close the audit → auto-fix → PR loop Adds `scripts/compliance-remediate.sh` to auto-remediate recurring compliance-audit findings from `findings.json`. Direct API remediations (applied immediately, no PR): - `has_wiki=true` → PATCH has_wiki=false - `allow_auto_merge=false` → PATCH allow_auto_merge=true - `delete_branch_on_merge=false` → PATCH delete_branch_on_merge=true - `has_discussions=false` → PATCH has_discussions=true - `check-suite-auto-trigger-*` → disable for Claude/CodeRabbit app IDs - `missing-label-*` → gh label create with colors/descriptions from standard PR-based remediations (creates branch + PR in target repo): - `missing-codeowners`, `codeowners-empty`, `codeowners-org-leads-not-first`, `codeowners-individual-users`, `codeowners-no-catchall` → generates `.github/CODEOWNERS` with `* @petry-projects/org-leads` per current standard - `unpinned-actions-<file.yml>` → resolves tag → commit SHA (handles annotated vs. lightweight tags), pins all unpinned refs, opens PR Skipped with explanation (for human/agent pickup): - Workflow files, rulesets, dependabot.yml, CLAUDE.md/AGENTS.md, CodeQL default setup, push-protection settings Improvements over prior attempts (claude/issue-35-20260406-0341): - CODEOWNERS generation uses `@petry-projects/org-leads` team (not individual users — forbidden per codeowners-standard.md updated 2026-05-04) - Handles all five CODEOWNERS finding variants, not just `missing-codeowners` - Adds `in-progress` label to the label map (was missing) - Adds check-suite auto-trigger remediation (new audit finding) - Bash 4+ version guard (consistent with apply-repo-settings.sh) Closes #35 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address ShellCheck warnings in compliance-remediate.sh - SC2034: Remove unused CHECK_SUITE_APP_IDS array (app_id extracted from finding check name at runtime, no static list needed) - SC2155: Split local declarations from command-substitution assignments (local branch_name; branch_name="...$(date ...)") - SC2221/SC2222: Move ci-workflows/missing-permissions-* before the more general ci-workflows/missing-* to prevent pattern override Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
… reusable refs (#260) * fix(compliance): add secret-scan job, pin dtolnay action, exempt internal reusable refs - ci.yml: add required secret-scan job using gitleaks (per push-protection.md#required-ci-job), fixing the secret_scan_ci_job_present error for .github repo - dependency-audit.yml: pin dtolnay/rust-toolchain@stable to SHA 29eef336d9b2848a0b548edc03f92a220660cdb8, fixing unpinned-actions-dependency-audit.yml - compliance-audit.sh: exempt petry-projects/.github reusable workflow refs from SHA-pinning check — ci-standards.md#action-pinning-policy explicitly allows @v1/@main for internal reusables; the missing exemption caused false positives for agent-shield.yml, claude.yml, and dependabot-automerge.yml across all repos Closes #259 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix(ci): add GITLEAKS_LICENSE for org repo and document requirement gitleaks/gitleaks-action v2 requires a paid license key for GitHub organization repos. Add GITLEAKS_LICENSE env var to the secret-scan job and document the requirement in push-protection.md so all adopting repos know to configure the GITLEAKS_LICENSE org secret. Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix(ci): use gitleaks CLI instead of action to avoid org license requirement gitleaks-action v2 requires a paid license for GitHub org repos. Switch to go install github.com/zricethezav/gitleaks/v8@v8.30.1 which is free and uses Go's checksum database (sum.golang.org) for integrity verification. - ci.yml: replace action with go install + CLI run - push-protection.sh: accept 'gitleaks detect' CLI invocations alongside the action pattern in the secret_scan_ci_job_present compliance check - push-protection.md: update canonical job template to CLI approach and document why (org license requirement), note action as option with license Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay] --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
* Add multi-agent isolation strategy using git worktrees (#2)
* Add multi-agent isolation strategy using git worktrees
Define org-wide rules for running multiple AI agents concurrently
without conflicts: one worktree per agent, no overlapping file
ownership, tool-specific setup for Claude Code/Copilot/Codex/Cursor,
naming conventions, cleanup, and a pre-launch coordination checklist.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Address review comments: overlap detection, markdown fixes, branch clarity
- Add "Detecting File Overlap" subsection per CodeRabbit suggestion
- Reword origin/HEAD to reference default branch explicitly (Copilot)
- Qualify "name flows into branch" for manual worktrees (Copilot)
- Quote isolation: "worktree" consistently in YAML example (Copilot)
- Add git branch -D fallback for squash/rebase merges (Copilot)
- Fix markdown blank lines and language specifiers (CodeRabbit)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: Dependabot security-only update standards (#9)
Adds org-wide Dependabot security-only update standards: policy doc, dependabot.yml templates for all ecosystems, auto-merge workflow, and dependency-audit CI workflow.
* docs: add GitHub repository settings standards (#10)
* docs: add GitHub repository settings standards
Document the standard org and repo configurations including branch
protection, rulesets, merge settings, required integrations, labels,
and new-repo onboarding checklist.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- Improve merge settings rationale to clarify admin override purpose inline
- Replace vague protect-branches description with specific ruleset details
from the actual GitHub API configuration
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: correct settings values from API audit data
- Fix org default permission to 'write' (not 'read')
- Fix has_projects to 'true' (currently enabled on all repos)
- Fix has_wiki to 'true' (enabled on most repos)
- Fix squash commit message to COMMIT_MESSAGES (not PR body)
- Fix broodly stack label (TypeScript + Go, not Rust)
- Add installed GitHub Apps with dates from API audit
- Add compliance status table showing per-repo deviations
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: apply review feedback — rulesets, settings, and secrets
- Change wiki to disabled, discussions to enabled
- Change squash commit title to PR_TITLE
- Replace classic branch protection with rulesets-first approach
- Strengthen pr-quality ruleset: dismiss stale reviews, require last
push approval, require code owner review
- Abstract required checks into conditional code-quality ruleset
(removes repo-specific names, uses condition-based check mapping)
- Fix GitHub App secrets to reflect org-level inheritance
- Update new-repo checklist and compliance status accordingly
- Add migration note for classic → ruleset transition
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: require 2FA and align label onboarding checklist
- Set two-factor requirement to Required (was Disabled)
- Reference full standard label set in onboarding checklist
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: tighten org permission to read, make labels MUST
- Change default repo permission to 'read' (least privilege)
- Change labels from SHOULD to MUST for consistency with onboarding checklist
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: make all quality checks required on all repos
All five check categories (SonarCloud, CodeQL, Claude Code, CI, Coverage)
are now universally required. Ecosystem-specific configuration varies by
what languages/tools the repo contains — if an ecosystem is present, it
must be configured in the relevant checks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: remove ci-standards.md (belongs in PR #11, not this branch)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: consolidate secrets documentation, add CLAUDE_CODE_OAUTH_TOKEN
- Split secrets into org-level and repo-level sections
- Add CLAUDE_CODE_OAUTH_TOKEN to org secrets table
- Add SONAR_TOKEN and GCP secrets to repo-level table
- Align onboarding note with secrets sections
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: CodeQL rule-based, org-level secrets, remove repo-level section
- CodeQL definition now focuses on rule: all ecosystems must be configured
- Move SONAR_TOKEN to org-level secrets
- Remove repo-level secrets section — all standard CI secrets are org-level
- Simplify onboarding note
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Fix typo in repo-specific secrets note
Correct typo in the note about repo-specific secrets.
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: add CI/CD standards and workflow patterns (#11)
* docs: add CI/CD standards and workflow patterns
Document standard CI configurations across all repos including required
workflows, tech stack patterns, action pinning policy, permissions,
secrets inventory, and a gap analysis of current repo coverage.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address Copilot review feedback on CI standards
- Clarify that only Dependabot workflows have reusable templates;
CI/CodeQL/SonarCloud/Claude are documented as copy-and-adapt patterns
- Fix top-level permissions in CI example to use {} per permissions policy
- Add branches filter to SonarCloud pull_request trigger for consistency
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address CodeRabbit SHA pinning and Go version feedback
- Pin SHAs in SonarCloud, Claude Code, and auto-fix workflow examples
- Clarify that tech stack patterns use tags for illustration only
- Update Go version example to use 'stable' with note about pinning
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: clarify single-job workflow permissions policy
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: refine CI gap analysis and add version inconsistencies
- Mark markets Dependabot config as partial (missing npm ecosystem)
- Mark google-app-scripts auto-merge as older pattern
- Flag non-standard npm limit:10 on google-app-scripts
- Add CodeQL for TalkTerm to missing list
- Add version inconsistency section (SonarCloud, CodeQL, Claude Code)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: align CI standards with universal check requirements
All five quality checks (SonarCloud, CodeQL, Claude, CI, Coverage) are
required on every repo. Updated status table with Coverage column,
prioritized gap remediation list, and version alignment targets.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: CodeQL Friday noon EST, rule-based config, org-level secrets
- Change CodeQL schedule to Friday 12:00 PM EST (cron: 0 17 * * 5)
- Replace repo-specific language matrix with rule: all ecosystems
present in repo must be configured as CodeQL languages
- Move SONAR_TOKEN to org-level secrets
- Replace "Secrets by Repository" with "Organization-Level Secrets
for Standard CI" — all standard secrets are org-inherited
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add weekly compliance audit workflow (#12)
* feat: add weekly compliance audit workflow
Adds automated weekly audit that checks all petry-projects repos
against org standards (CI, Dependabot, settings, labels, rulesets)
and creates/updates/closes issues for each finding.
- Deterministic shell script for reliable, repeatable checks
- Claude Code Action job for standards improvement research
- Issues auto-assigned to Claude for remediation
- Summary notification for org owners
- Idempotent: updates existing issues, closes resolved ones
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address review findings in compliance audit
- Add retry error logging to gh_api helper
- Fix pnpm detection when package.json absent
- Fix empty ecosystem array display
- Replace heredoc with direct assignment for issue body
- Add jq error safety in close_resolved_issues
- Increase repo list limit to 500 with empty check
- Use process substitution instead of pipe subshell
- Add concurrency group and timeout to workflow
- Add timeout-minutes to audit job
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address CodeRabbit and Copilot review comments
- Handle single-job workflows with job-level permissions
- Add has_issues to required settings checks
- Soften CODEOWNERS wording (SHOULD not MUST per standards)
- Remove misleading issues:write from audit job permissions
- Rename repo_count to repos_with_findings for clarity
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: do not auto-close previous summary issues
Per feedback, only humans should close summary/notification
issues. Changed Claude prompt to explicitly not close them.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: run compliance audit every Friday at noon UTC
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: audit .github repo and add CLAUDE.md/AGENTS.md checks (#14)
* feat: audit .github repo and add CLAUDE.md/AGENTS.md checks
- Remove .github repo exclusion — it now gets audited like all
other repos (settings, labels, rulesets, workflows, etc.)
- Add check_claude_md: every repo must have a CLAUDE.md that
references AGENTS.md
- Add check_agents_md: every repo must have an AGENTS.md that
references the org-level .github/AGENTS.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address review comments on CLAUDE.md/AGENTS.md checks
- Point standard_ref to AGENTS.md (the actual source of truth)
- Upgrade missing-ref severities from warning to error (required)
- Tighten AGENTS.md org-ref grep to match .github/AGENTS.md only
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add full CI pipeline for .github repo (#15)
* feat: add full CI pipeline for .github repo
Adds all 6 required workflows per ci-standards.md:
- ci.yml: markdownlint, yamllint, actionlint, shellcheck, AgentShield
- codeql.yml: actions language analysis
- sonarcloud.yml: code quality scanning
- claude.yml: AI-assisted PR review
- dependabot-automerge.yml: auto-merge eligible PRs
- dependency-audit.yml: vulnerability scanning
Also adds:
- .github/dependabot.yml (github-actions ecosystem)
- .markdownlint-cli2.yaml (config for standards docs)
- sonar-project.properties
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: correct markdownlint SHA, use npx for AgentShield, remove duplicate CodeQL
- Fix markdownlint-cli2-action SHA to v9.0.0 (v20 doesn't exist)
- Use npx ecc-agentshield CLI instead of broken GitHub Action
- Remove codeql.yml — repo already has default CodeQL setup enabled
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: relax markdownlint rules, pin actionlint download
- Disable line-length, duplicate-heading, blanks-around-lists,
bare-urls rules — existing docs have many violations; fix
incrementally as separate PRs
- Replace curl|bash with pinned version download for actionlint
(fixes SonarCloud security hotspot)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: break long line in org-scorecard.yml for yamllint
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: make actionlint fail on errors, guard shellcheck glob
- Remove || true from actionlint on our own workflows (fail properly)
- Keep || true only for template workflows (expected placeholder issues)
- Guard shellcheck glob against missing scripts/ directory
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: ignore shellcheck style hints in actionlint
SC2129 (use grouped redirects) is a style suggestion, not a bug.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add SHA256 checksum verification for curl downloads
Addresses SonarCloud security hotspots by verifying checksums
on all binary downloads:
- actionlint 1.7.7 in ci.yml
- scorecard 5.1.1 in org-scorecard.yml
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: enforce MD041, add standards references to all YAML files
- Enable MD041 (first line heading) — all markdown files already comply
- Add header comment to each workflow YAML with purpose and link to
the org standard definition that governs it
- Add header comment to dependabot.yml
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: resolve all markdown lint violations and enable enforced rules (#24)
* fix: resolve all markdown lint violations, enable enforced rules
Enable previously-disabled markdownlint rules:
- MD013 (line length 200, excluding tables/code blocks)
- MD024 (duplicate headings, siblings only)
- MD032 (blanks around lists)
- MD034 (no bare URLs)
Fix 54 violations across 3 files:
- AGENTS.md: wrap 44 long lines, add 6 blank lines around lists,
wrap 3 bare URLs in angle brackets
- standards/ci-standards.md: 1 blank line around list
- standards/dependabot-policy.md: 1 blank line around list
Also add .claude/ and node_modules/ to markdownlint ignore list.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: indent list continuations, correct issue trigger security note
- Fix 7 locations in AGENTS.md where wrapped list items had
unindented continuation lines (breaks Markdown rendering)
- Fix ci-standards.md issue trigger security note: triage role
can also label, and compliance audit uses its own label
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add checkout step to Claude Code standard configuration (#26)
The claude-code-action requires the repository to be checked out before
it can run git operations for issue-triggered branch setup. Without
actions/checkout, issue-triggered runs fail with:
fatal: not a git repository
All org repos have already been updated with this fix.
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add AgentShield CI standard and agent-shield.yml workflow template (#25)
Adds AgentShield as the 7th required CI workflow with org standard and reusable template.
* fix: add agent-shield.yml to required workflows in compliance audit
The audit script's REQUIRED_WORKFLOWS array was not updated when
AgentShield was added as the 7th required workflow. Repos missing
agent-shield.yml will now be flagged as compliance findings.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add claude label to compliance audit issues
Issues need the claude label so the Claude Code workflow picks them
up for auto-remediation. The script was only applying compliance-audit.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: extend compliance audit with CI/automation health survey (#13)
Replaces compliance-audit.yml with compliance-audit-and-improvement.yml,
extending the existing weekly compliance audit with runtime health
telemetry and a forward-looking best practices research phase.
Architecture (3 jobs):
Job 1 — Compliance Audit (unchanged)
Deterministic shell script checking all repos against org standards.
Creates/updates/closes compliance issues per finding.
Job 2 — Health Survey (new)
Collects runtime telemetry across all org repos:
CI run failures (7d), security alerts (Dependabot/secret/code scanning),
PR staleness, branch protection status, workflow inventory.
Job 3 — Analyze & Create Issues (Claude, rewritten)
Six-phase analysis combining both datasets:
1. Load compliance + health data and org standards
2. Correlate and categorize findings by severity
3. Research root causes and automation opportunities
4. Evaluate against industry best practices and emerging capabilities
(agentic guardrails, supply chain integrity, reliability SLOs, etc.)
— outputs only standards proposals, not implementation issues
5. Create issues: repo-specific go in that repo, org-wide in .github,
every issue gets the claude label for agent pickup
6. Summary report to step summary
Issue rules:
- Every issue must have the `claude` label
- Repo-specific issues are created in that repo
- Org-wide and standards proposals go in .github
- Deduplicates against existing open issues
- Max 3 standards-improvement + 3 best-practices proposals per run
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: handle gh api 403/404 responses in health survey
The gh api command with --jq outputs error JSON to stdout on 403/404
before the fallback runs, producing concatenated invalid output like
'{"message":"..."}0'. This broke integer comparisons and jq parsing.
Fix: use if/else on exit code for all gh api calls (security alerts,
branch protection, workflow inventory) instead of `|| echo` fallbacks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add dependabot-rebase workflow standard (#52)
* feat: add dependabot-rebase workflow to unblock auto-merge serialization
When strict status checks require branches to be up-to-date, merging one
Dependabot PR makes others fall behind. Dependabot only rebases on its
weekly schedule, leaving auto-merge stalled. This workflow triggers on
push to main and comments @dependabot rebase on behind PRs, preserving
Dependabot's commit signature for fetch-metadata verification.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use API merge method and add direct merge step
Based on testing in google-app-scripts:
- @dependabot rebase only works from human users, not bots
- API rebase breaks Dependabot ownership; API merge preserves it
- GitHub auto-merge (--auto) fails due to BLOCKED mergeable_state
- Add direct merge step and skip-commit-verification to automerge
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add concurrency group to prevent overlapping runs
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use correct claude-code-action input names
The action accepts `prompt` (not `direct_prompt`) and `claude_args`
(not `timeout_minutes`/`allowed_tools`). The previous inputs were
silently ignored, causing Claude to never run.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore(deps): Bump actions/download-artifact from 4.3.0 to 8.0.1 (#16)
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.3.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/d3f86a106a0bac45b974a628896c90dbdf5c8093...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c)
---
updated-dependencies:
- dependency-name: actions/download-artifact
dependency-version: 8.0.1
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump pnpm/action-setup from 4.1.0 to 5.0.0 (#17)
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 4.1.0 to 5.0.0.
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](https://github.com/pnpm/action-setup/compare/a7487c7e89a18df4991f7f222e4898a00d66ddda...fc06bc1257f339d1d5d8b3a19a8cae5388b55320)
---
updated-dependencies:
- dependency-name: pnpm/action-setup
dependency-version: 5.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#18)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/ea165f8d65b6e75b540449e92b4886f43607fa02...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f)
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: 7.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump actions/setup-go from 5.5.0 to 6.4.0 (#20)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/d35c59abb061a4a6fb18e82ac0862c26744d6ab5...4a3601121dd01d1626a1e23e37211e3254c1c06c)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-version: 6.4.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump actions/checkout from 4.2.2 to 6.0.2 (#21)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4.2.2...de0fac2e4500dabe0009e67214ff5f5447ce83dd)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: 6.0.2
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump actions/setup-node from 4.4.0 to 6.3.0 (#23)
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.4.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v4.4.0...53b83947a5a98c8d113130e565377fae1a50d02f)
---
updated-dependencies:
- dependency-name: actions/setup-node
dependency-version: 6.3.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): Bump anthropics/claude-code-action from 1.0.83 to 1.0.89 (#22)
Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.89.
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](https://github.com/anthropics/claude-code-action/compare/v1.0.83...6e2bd52842c65e914eba5c8badd17560bd26b5de)
---
updated-dependencies:
- dependency-name: anthropics/claude-code-action
dependency-version: 1.0.89
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix: remove claude_args causing exit code 1
The --allowedTools and --timeout flags passed via claude_args caused
Claude Code to exit immediately with code 1. Removing claude_args
to use defaults — the job-level timeout (45min) and permissions
(contents:read, issues:write) provide sufficient guardrails.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: split Claude workflow into interactive + issue automation jobs (#54)
* feat: split Claude workflow into interactive + issue automation jobs
The single-job Claude workflow created branches for issue-labeled triggers
but never opened PRs — requiring a human to click through. Split into two
jobs so issue-triggered work runs in automation mode with a prompt that
drives the full lifecycle: implement, create PR, self-review, resolve
comments, check CI, and tag the maintainer.
Updates both the workflow and the ci-standards.md standard definition.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use CODEOWNERS for maintainer tagging instead of hardcoded username
The claude-issue prompt now reads CODEOWNERS at runtime to determine
who to tag when a PR is ready. This removes the need for per-repo
customization of the prompt.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: require GitHub Discussions on all repos (#53)
* feat: require GitHub Discussions on all repos with standard categories
Elevate Discussions from optional community feature to required org standard.
Add Discussions Configuration section defining required categories (Ideas,
General) and automated ideation workflow integration. Promote has_discussions
audit check from warning to error via REQUIRED_SETTINGS_BOOL.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: require feature-ideation workflow for BMAD Method repos
Add bmad-method ecosystem detection (looks for _bmad/ directory) and
conditionally require feature-ideation.yml workflow. Add CI Standards
section 8 documenting the conditional workflow. Update ecosystem table
in github-settings.md to include bmad-method.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address review comments — severity levels and requirement language
- Extend REQUIRED_SETTINGS_BOOL tuple format to include per-entry severity
(key:expected:severity:detail) instead of hardcoding all as warning
- Set has_discussions and has_issues to error severity; others remain warning
- Change feature-ideation.yml finding from warning to error for BMAD repos
- Change SHOULD to MUST for BMAD ideation workflow requirement in standards
Addresses CodeRabbit and Copilot review comments on PR #53.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: grant claude-issue job tools to create PRs and check CI (#55)
The claude-issue job had no access to `gh` CLI or file editing tools,
so Claude could implement and push but never actually open a PR.
Added --allowedTools for gh pr create/view, gh run view/watch, cat,
Edit, and Write so the automation prompt can execute end-to-end.
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add apply-repo-settings.sh to remediate compliance findings (#56)
Adds `scripts/apply-repo-settings.sh`, a companion to `compliance-audit.sh`
that applies all standard repository settings defined in
`standards/github-settings.md#repository-settings--standard-defaults`.
Addresses the `allow_auto_merge` compliance finding (issue #42) and any
other boolean/merge-config drift across org repos.
Usage (after merging, run with an admin token):
GH_TOKEN=<admin-token> ./scripts/apply-repo-settings.sh .github
GH_TOKEN=<admin-token> ./scripts/apply-repo-settings.sh --all
Closes #42
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: add concurrency guard and comment tools to claude-issue job
- Add concurrency group keyed on issue number to prevent duplicate runs
- Add gh pr comment and gh issue comment to allowedTools so Claude can
post review replies, resolve threads, and tag code owners
- Remove Bash(cat:*) since the Read tool already covers file reads
Addresses review feedback from CodeRabbit and Copilot across org PRs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add GH_TOKEN preflight check to compliance-audit.sh (#60)
Adds an early-exit preflight check at the top of main() that:
1. Fails fast with a clear error if GH_TOKEN is unset
2. Runs gh auth status to verify the token is valid before proceeding
Previously, auth failures manifested deep in the script as cryptic
gh CLI errors rather than a clear authentication failure.
Note: the step-level GH_TOKEN env var in the workflow also needs
to be added manually (cannot be done here due to workflow permissions).
See issue #30 for the required one-line workflow change.
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: replace unpinned dtolnay/rust-toolchain action with rustup in dependency-audit.yml (#72)
fix: replace unpinned dtolnay/rust-toolchain action with rustup
Replaces `uses: dtolnay/rust-toolchain@stable` (unpinned action) with a
direct `rustup toolchain install stable --profile minimal` run step.
The action was used with no parameters so this is functionally identical.
Using a run step eliminates the action-pinning compliance finding since
`run:` steps are not subject to the SHA pinning requirement.
Closes #41
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: add claude.yml template + checkout audit check (#63)
fix: add claude.yml template + checkout audit check (#33)
Root cause: the recent org-wide PRs added checkout only to the
claude-issue job, leaving the claude job (PR reviews / @claude
mentions) without one. claude-code-action reads CLAUDE.md and
AGENTS.md from the working tree; without checkout it errors on
every PR-triggered run.
Changes:
- standards/workflows/claude.yml: canonical copy-paste template
with checkout in both jobs, matching the other templates in
standards/workflows/. Both checkout steps are annotated as
REQUIRED to prevent silent removal.
- scripts/compliance-audit.sh: new check_claude_workflow_checkout()
detects any repo whose claude or claude-issue job is missing
checkout and raises an error finding. Wired into the main audit
loop so weekly scans surface affected repos automatically.
- standards/ci-standards.md: added a visible callout that both jobs
need checkout and a pointer to the new template file.
Closes #33
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: add has_discussions and has_issues to apply-repo-settings.sh (#59)
Extends the remediation script to include has_discussions and has_issues
settings from standards/github-settings.md#repository-settings--standard-defaults.
Previously the script only covered merge settings, leaving discussions and
issue-tracking compliance gaps unaddressed.
Closes #58
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: auto-create required labels during compliance audit (#67)
fix: auto-create required labels during compliance audit and settings apply
Adds ensure_required_labels() to compliance-audit.sh so all 6 required
labels (security, dependencies, scorecard, bug, enhancement, documentation)
are idempotently created during each audit run, eliminating the
missing-label-* compliance finding category.
Also extends apply-repo-settings.sh with apply_labels() so the remediation
script covers labels alongside repository settings.
Closes #46
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* feat: add apply-rulesets.sh to create code-quality ruleset (#71)
* feat: add apply-rulesets.sh to create code-quality ruleset
Adds scripts/apply-rulesets.sh — an IaC script that creates or updates
the code-quality repository ruleset (required status checks) for any
petry-projects repo via the GitHub API.
The script:
- Auto-detects which CI workflows are present and derives the correct
GitHub Actions check context strings (<workflow-name> / <job-name>)
- Supports --dry-run to preview without applying
- Creates or updates the ruleset idempotently (POST or PUT)
- Supports --all to run across every non-archived org repo
Closes #49
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: remove dead workflow_job_names function; guard empty checks array
- Remove unused workflow_job_names() helper — dead code never called
- Guard printf against empty array with set -u on older bash versions
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: restore executable bit on apply-rulesets.sh
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: address Dependabot major version updates and markdownlint v23 compatibility (#68)
- Disable new markdownlint rules enabled by default in v23 (MD049, MD050,
MD054, MD055, MD056, MD058) to prevent CI failures when Dependabot PR #19
(markdownlint-cli2-action v9→v23) is merged
- Sync standards/workflows/dependency-audit.yml to action versions currently
in the live workflow: actions/checkout v6.0.2, actions/setup-node v6.3.0,
and updated pnpm/action-setup and actions/setup-go patch SHAs
Note: .github/workflows/ files require manual edits (no workflow write permission):
- dependabot-automerge.yml: add skip-commit-verification: true to fix PR #22
- dependency-audit.yml: correct 6 version comments (SHA updated but comment still says v4/v5)
Closes #36
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: add app secrets guard and skip-commit-verification to dependabot workflows (#69)
* fix: add app secrets guard and skip-commit-verification to dependabot workflows
- Add `Check app secrets` step to all three dependabot workflow files so
missing APP_ID/APP_PRIVATE_KEY secrets produce a clear, actionable error
instead of the cryptic [@octokit/auth-app] appId option is required message
- Add `skip-commit-verification: true` to dependabot/fetch-metadata in
.github/workflows/dependabot-automerge.yml so it accepts the GitHub-authored
merge commits produced by the dependabot-rebase workflow
Closes #29
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: shorten error message lines to satisfy 200-char yamllint rule
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* feat: add org profile README (#61)
Creates profile/README.md with org overview, project table, standards
summary, and contribution guidelines.
Closes #37
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: update Node.js runtime examples from 20 to 24 in CI standards docs (#62)
* fix: update Node.js runtime from 20 to 24 across CI config and docs
Node.js 20 runtime is deprecated; GitHub will force Node.js 24 on
June 2 2026 and remove Node.js 20 entirely on September 16 2026.
- ci.yml: pin agent-security job to node-version '24'
- standards/ci-standards.md: update npm and pnpm pattern examples
Closes #34
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* revert: restore ci.yml to previous state (workflow permission not available)
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* docs: update compliance status and add bash 4+ requirement (#73)
* docs: update compliance status and add bash 4+ requirement
- Update Current Compliance Status table: all repo settings are now
fully compliant after bulk remediation; document remaining ruleset gaps
- Add Bash 4+ requirement note to apply-repo-settings.sh (uses
associative arrays, incompatible with macOS default Bash 3.2)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add bash 4+ runtime check to apply-repo-settings.sh
Addresses Copilot review: fail fast with actionable message instead of
cryptic declare -A error on macOS Bash 3.2.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore(deps): Bump DavidAnson/markdownlint-cli2-action from 9.0.0 to 23.0.0 (#19)
chore(deps): Bump DavidAnson/markdownlint-cli2-action
Bumps [DavidAnson/markdownlint-cli2-action](https://github.com/davidanson/markdownlint-cli2-action) from 9.0.0 to 23.0.0.
- [Release notes](https://github.com/davidanson/markdownlint-cli2-action/releases)
- [Commits](https://github.com/davidanson/markdownlint-cli2-action/compare/5b7c9f74fec47e6b15667b2cc23c63dff11e449e...ce4853d43830c74c1753b39f3cf40f71c2031eb9)
---
updated-dependencies:
- dependency-name: DavidAnson/markdownlint-cli2-action
dependency-version: 23.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feat: prevent duplicate agent PRs via in-progress labels and umbrella issues (#76)
* feat: prevent duplicate agent PRs via in-progress labels and umbrella issues
- Add `in-progress` label (#fbca04) to standard label set in github-settings.md
and apply-repo-settings.sh so all repos have it available for agents to claim issues
- Add `in-progress` to compliance-audit.sh REQUIRED_LABELS and ensure_required_labels()
so the audit enforces its presence across repos
- Remove `--label "claude"` from individual compliance finding issues; individual issues
now only get the `compliance-audit` label so multiple agents don't race on them
- Add create_umbrella_issue() to compliance-audit.sh: after each audit run, one umbrella
issue is created in petry-projects/.github grouping all findings by remediation category.
Only the umbrella gets the `claude` label, triggering one coordinated agent run instead
of N competing agents each fixing the same script/file
- Add "Multi-Agent Issue Coordination" section to AGENTS.md with:
- Claim-before-work protocol (check in-progress label, check for open PRs, claim before
writing code, release claim on abandonment)
- File-conflict check (search open PRs for the target file before creating it)
- Compliance umbrella issue guidance (work from umbrella, fix whole category per PR)
Closes #75
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: declare body separately in create_umbrella_issue to satisfy ShellCheck SC2155
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* feat: reusable Claude Code workflow with workflows write permission (#77)
feat: extract reusable Claude Code workflow with GH_PAT_WORKFLOWS support
Centralizes the Claude Code prompt and config into a reusable workflow
(claude-code-reusable.yml) so repo-level claude.yml files are thin callers.
Adds github_token input using GH_PAT_WORKFLOWS secret to grant workflows
write permission, unblocking Claude from pushing .github/workflows/ changes.
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add pr-quality ruleset support to apply-rulesets.sh
Adds build_pr_quality_ruleset_json() function and updates apply_rulesets()
to create/update the pr-quality ruleset on each repo, per the standard
defined in standards/github-settings.md.
Ruleset enforces:
- 1 required approving review
- Dismiss stale reviews on push
- Require code owner review
- Require last push approval
- All review threads resolved before merge
- Linear history (squash-only merges)
- No force pushes, no branch deletion
Bypass actors: OrganizationAdmin (always), dependabot-automerge-petry (pull_request).
Also removes stale TODO note from standards/github-settings.md about
pr-quality support being missing from the script.
Closes #48
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* feat: add CODEOWNERS file for code owner review enforcement
Adds .github/CODEOWNERS assigning @don-petry as default owner for all files.
Satisfies the pr-quality ruleset requirement for code owner reviews (the
"Require code owner review" setting has no effect without a CODEOWNERS file).
Closes #50
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* Add Feature Ideation workflow as standard for BMAD-enabled repos (#81)
* feat: add Feature Ideation workflow as a standard for BMAD-enabled repos
Promotes the BMAD Analyst (Mary) feature ideation workflow piloted in
petry-projects/TalkTerm to an org-wide standard for any repo with BMAD
Method installed.
Adds:
- standards/workflows/feature-ideation.yml — the canonical template,
generalised from TalkTerm. Customisation surface is a single
PROJECT_CONTEXT env var that describes the project and its market.
- standards/ci-standards.md §8 rewrite — documents the multi-skill
ideation pipeline (Market Research → Brainstorming → Party Mode →
Adversarial), the Opus 4.6 model requirement, the github_token
permissions gotcha, and the show_full_output secrets hazard.
- standards/agent-standards.md — adds a "BMAD Method Workflows"
section linking the standard from the agent ecosystem docs.
The four critical gotchas baked into the template were each discovered
empirically during the TalkTerm pilot and would silently regress without
the inline comments. Most importantly: the action's auto-generated
claude[bot] App token lacks discussions:write, so the workflow MUST
pass github_token: ${{ secrets.GITHUB_TOKEN }} explicitly or every
Discussion mutation fails silently while the run reports success.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: split feature-ideation into reusable workflow + thin caller stub
Avoids ~600 lines of prompt duplication across every BMAD-enabled repo and
makes the multi-skill ideation pipeline tunable in one place — changes here
propagate to every adopter on next scheduled run.
- .github/workflows/feature-ideation-reusable.yml — the actual reusable
workflow (workflow_call). Contains both jobs (signal collection +
analyst), the full Phase 1-8 prompt, and the four critical gotchas
(Opus 4.6 model, github_token override, no show_full_output, structural
Phase 2-5 sequence) hard-coded so they cannot regress.
- standards/workflows/feature-ideation.yml — replaced the 600-line copy
with a ~60-line caller stub that only defines the schedule, the
workflow_dispatch inputs, and a single required parameter:
project_context.
- standards/ci-standards.md §8 — documents the reusable + caller stub
architecture, the inputs/secrets contract, and updated adoption steps.
Reference implementation pointer updated to note that TalkTerm is now
also a thin caller stub.
Inputs exposed by the reusable workflow:
- project_context (required) — project description for Mary
- focus_area (default '') — typically wired to workflow_dispatch
- research_depth (default 'standard')
- model (default 'claude-opus-4-6') — escape hatch only
- timeout_minutes (default 60)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(lint): add shellcheck disable for GraphQL variable false positive
The gh api graphql queries use $repo / $owner / $categoryId as GraphQL
variables (not shell expansions), which must remain in single quotes.
shellcheck SC2016 fires anyway — disable it for this script.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(lint): use quoted heredocs for GraphQL queries to satisfy SC2016
actionlint runs shellcheck on the entire run script as one unit and ignores
inline disable directives. Rewriting the gh api graphql calls to use
cat <<'GRAPHQL' heredocs makes the GraphQL variable references ($repo,
$owner, $categoryId) shell-inert without depending on single-quoted
string literals — eliminating the SC2016 false positive.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: expand prompt variables via Actions expressions, add placeholder guard
CodeRabbit caught a critical latent bug inherited from the original TalkTerm
prompt: shell-style $VAR and $(date) syntax inside the action's `prompt:`
input is NOT expanded — the action receives literal text. This silently
broke variable substitution in every prior run, but mattered most for the
new reusable workflow because PROJECT_CONTEXT is now load-bearing.
Changes:
- Replace $PROJECT_CONTEXT, $FOCUS_AREA, $RESEARCH_DEPTH, and $(date ...)
with ${{ inputs.* }} and ${{ github.run_started_at }} expressions, which
ARE evaluated by GitHub before passing the prompt to the action.
- Add a "Validate project_context is customised" pre-step that fails fast
if an adopter copied the caller stub without replacing the TODO
placeholder. Prevents wasted Opus runs producing generic Discussions.
- scripts/compliance-audit.sh: detect BMAD repos via `_bmad-output/` as
well as `_bmad/`, matching the broader detection rule documented in
ci-standards.md §8 (TalkTerm only has `_bmad-output/`).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(lint): drop github.run_started_at (not in actionlint context schema)
The agent can read scan_date from signals.json instead — added a hint
in the Environment section.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(caller): grant cascading permissions on the calling job
CodeRabbit caught: the caller stub had `permissions: {}` at workflow
level and no permissions block on the calling job. Reusable workflows
inherit permissions from the calling job — without an explicit grant,
the reusable workflow's `discussions: write` declaration would have
nothing to apply, and Discussion mutations would fail with FORBIDDEN
just like the original bug we fixed in TalkTerm.
The reusable workflow's job-level permissions are documentation of
what it needs; the caller is what actually grants them.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use claude_args --model interface; instruct re-query before create
Two more fixes from CodeRabbit review:
1. Model selection via claude_args (the documented v1 interface)
instead of ANTHROPIC_MODEL env var. claude_args takes precedence over
the env var per the action's docs, so depending on the env var was
relying on undocumented behavior. The pinned v1.0.89 happens to honor
ANTHROPIC_MODEL too (verified in TalkTerm run #3 logs), but the
documented path is more robust against future action upgrades.
2. Re-query existing Ideas discussions before each create. The signals
snapshot only fetches the first page of discussions (GraphQL caps
connections at 100 per page) and only covers the Ideas category, not
the General fallback. Mary now does a fresh query before each create
to avoid duplicates in repos with >100 idea threads or where Ideas
doesn't exist.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: pass GH_PAT_WORKFLOWS to actions/checkout so git push uses workflow-scoped token (#82)
* fix: auto-create missing required labels during compliance audit (#79)
Replace passive `missing-label-*` findings with active label creation.
`check_labels()` now calls `gh label create --force` for any required
label absent from a repo. A compliance finding is only filed if creation
fails (insufficient permissions) or when running in DRY_RUN mode.
Resolves the recurring `missing-label-scorecard` finding (#47) by
creating the label on the next audit run rather than just reporting it.
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
* fix: encode compliance-fix learnings into standards and Claude prompt (#86)
* fix(claude-action): grant administration:write, allow gh api/label create, add standards-conformance prompt rules
* docs(ci-standards): add 'Using Templates' section, SHA lookup procedure, document administration:write
* docs(AGENTS): link standards root and per-topic standards files at top of file
* docs(AGENTS): wrap standards-rule paragraph to satisfy MD013 line-length
* fix(claude-action): yamllint disable for long allowedTools line
* fix(claude-action): remove invalid 'administration' permission scope; document GH_PAT_WORKFLOWS as the actual mechanism
* docs(ci-standards): replace bogus 'administration: write' note with explanation of how admin ops actually work via GH_PAT_WORKFLOWS
* feat(workflows): centralize standards via reusable workflows (#87)
* feat(workflows): centralize standards via reusable workflows
Build org-wide reusable workflows for the four standards that previously
required full inline copies in every downstream repo, and migrate the
matching standards/workflows/*.yml templates to thin caller stubs that
delegate via `uses: petry-projects/.github/.github/workflows/*-reusable.yml@main`.
This extends the pattern already proven by feature-ideation and the
existing claude-code-reusable workflow to the rest of the standard set:
- dependency-audit-reusable.yml (zero per-repo config)
- dependabot-automerge-reusable.yml (uses secrets: inherit for APP_*)
- dependabot-rebase-reusable.yml (uses secrets: inherit for APP_*)
- agent-shield-reusable.yml (inputs for severity/required-files/org-ref)
The standards/workflows/claude.yml template was also still the inline
115-line version even though claude-code-reusable.yml has existed for
weeks; migrate it to a stub matching the central repo's own claude.yml.
Each migrated stub now carries a uniform "SOURCE OF TRUTH" header block
telling agents what they may and may not edit. Net effect: ~580 lines
removed from standards/workflows, single point of maintenance for the
five centralizable workflows.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(workflows): grant read permissions to dependabot caller stubs
Reusable workflows can be granted no more permissions than the calling
workflow has. The dependabot-automerge and dependabot-rebase stubs had
`permissions: {}` at workflow level with no job-level overrides, which
intersected to zero — the reusable's `gh pr ...` calls would fail
because GITHUB_TOKEN had no scopes.
Fix: declare `contents: read` and `pull-requests: read` on the calling
job, matching the scopes the reusable's job already declares. Caught
by Copilot review on #87.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs(workflows): note permissions stanza in immutable-stub contract
CodeRabbit follow-up on #87: now that the dependabot stubs declare a
job-level permissions block (required for the reusable's gh API calls),
add it to the "MUST NOT change" list so future adopters don't strip it.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(workflows): pin reusable callers to @v1 and document tier model (#88)
* feat(workflows): pin all reusable callers to @v1 + add tier model
Pins all stubs in standards/workflows/ and the central repo's own
.github/workflows/claude.yml from @main to @v1. From here on, a bad
commit on main cannot break every downstream repo simultaneously —
breaking changes will publish v2 and downstream repos opt in.
Adds a "Centralization tiers" section to ci-standards.md documenting
the three tiers (stub / per-repo template / free per-repo) so future
agents know whether a workflow file is editable, what they may tune,
and where to send fixes when behavior needs to change.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* revert(workflows): keep central claude.yml caller at @main in this PR
claude-code-action validates that .github/workflows/claude.yml in a PR
is byte-identical to main, so updating it within a normal PR is
impossible — the validation fails before the merge can land. Updating
the central repo's own caller will be done as a tiny separate change
after this lands.
Standards stubs remain pinned to @v1 — that is the change that matters
for downstream repos.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(workflows): unify feature-ideation header + correct tier doc
Address Copilot review on #88:
1. feature-ideation.yml: prepend the same SOURCE OF TRUTH header block
used by the other Tier 1 stubs so the claim "Tier 1 stubs all carry
an identical header" is actually true.
2. ci-standards.md tier table: drop the inaccurate "~30-line" claim
(feature-ideation.yml is ~95 lines because of the `project_context`
input). Replace with "thin caller stub" and call out feature-ideation's
required input alongside agent-shield's optional ones.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(compliance-audit): detect non-stub centralized workflow copies (#89)
* feat(compliance-audit): detect non-stub centralized workflow copies
Adds a new check to compliance-audit.sh that flags downstream repos
whose Tier 1 workflows are not the canonical thin caller stubs pinned
to @v1. For each centralizable workflow (claude, dependency-audit,
dependabot-{automerge,rebase}, agent-shield, feature-ideation), the
check distinguishes three failure modes for actionable findings:
1. Inline copy of pre-centralization logic
→ "is an inline copy instead of a thin caller stub"
2. References the reusable but not pinned to @v1 (e.g. @main, @v0)
→ "references the reusable but is not pinned to @v1"
3. Some other malformed uses: line
→ "the uses: line does not match the canonical stub"
The central .github repo is exempt because it owns the reusables and
may legitimately reference them by @main during release preparation.
Verified locally with hand-crafted fixtures: stub@v1 → no finding,
stub@main → flagged with the @v1 message, inline copy → flagged with
the inline message, missing file → no finding (handled by
check_required_workflows).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(compliance-audit): use fixed-string grep for reusable path match
CodeRabbit on #89: the second-branch grep used an unescaped
"petry-projects/.github/.github/workflows/${reusable}" pattern,
where BRE dots could in principle match any character. Switch to
\`grep -F\` (fixed-string) to match the path literally. No real-world
false positive observed (workflow paths contain literal dots), but
the hygiene is right.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(compliance-audit): anchor uses: regex + reduce per-repo API calls
Address remaining Copilot review feedback on #89:
1. Anchor the \`uses:\` regex to start-of-line + optional indent
(\`^[[:space:]]*uses:\`) so a commented \`# uses: ...@v1\` line
cannot fool the check into marking an inline workflow as compliant.
Verified with a fixture: a workflow whose only mention of @v1 is in
a YAML comment is now correctly flagged.
2. List \`.github/workflows/\` once per repo and short-circuit the
per-file check when the workflow isn't present, instead of probing
each of the six centralized files individually. Cuts up to 5 wasted
gh api calls per repo (worst case ~2500 fewer requests across the
org per audit run).
3. Drop the misleading "missing workflow caught by check_required_workflows"
comment — only some of the six are required (claude, dependency-audit,
dependabot-automerge, agent-shield); dependabot-rebase and feature-ideation
are intentionally optional/conditional. The new directory-listing
short-circuit handles all of these uniformly.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(apply-rulesets): use Tier 1 reusable check names (#94)
Closes #91.
`scripts/apply-rulesets.sh` previously only knew about claude.yml,
sonarcloud.yml, codeql.yml, and ci.yml when building required-status-
checks lists. For claude.yml it composed `<workflow-display-name> /
claude` (e.g. "Claude Code / claude") — but GitHub actually publishes
reusable check names as `<caller-job-id> / <reusable-job-id-or-name>`,
which is "claude-code / claude". The old format never matched real
checks, so the rule was effectively never satisfied — which is why
markets and bmad-bgreat-suite deadlocked at merge time after #87.
Fix:
- Drop the legacy claude.yml block.
- Hardcode the new check names for the centralized workflows that ARE
safe to require: `agent-shield / AgentShield` and
`dependency-audit / Detect ecosystems`.
- Document why claude-code / claude, the per-ecosystem dependency-audit
jobs, dependabot-{automerge,rebase}, and feature-ideation are NOT
required: claude-code's app-token validation deadlocks workflow PRs;
per-ecosystem jobs report SKIPPED when their lockfile is absent and
required-but-skipped fails the gate; the dependabot/feature-ideation
jobs run on triggers other than regular PRs.
After this lands, run `apply-rulesets.sh` against every petry-projects
repo to converge on the new names.
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(workflows): address CodeRabbit suggestions deferred from #87 (#93)
* fix(workflows): address CodeRabbit suggestions deferred from #87
Closes #90.
1) agent-shield-reusable.yml — SKILL.md frontmatter regex now allows
optional leading whitespace (`^[[:space:]]*name:` /
`^[[:space:]]*description:`), so indented YAML keys (e.g. under a
`metadata:` parent) are recognised as present. Previously the strict
column-zero anchor missed them.
2) dependabot-rebase-reusable.yml — fix vacuous-truth merge gate.
`[].statusCheckRollup[]? | ... | all(...)` returns true on an empty
list (logical convention), which made a PR with no status checks
appear "all green" and trigger an auto-merge. New gate also requires
at least one COMPLETED check before merging, in addition to the
existing all-pass and zero-pending requirements. Also collapses the
three `gh pr view` calls into one round-trip via a shared $ROLLUP.
3) dependency-audit-reusable.yml — cargo audit no longer re-runs per
workspace member. The new logic finds workspace roots (Cargo.toml
files containing `[workspace]`) and audits them once each, then
audits standalone crates whose dir is not under any workspace root.
For a workspace with N members, that's 1 audit instead of N+1.
4) dependency-audit-reusable.yml — pip-audit now audits both
pyproject.toml AND requirements.txt when both exist in the same
directory (some projects ship pyproject for tooling and
requirements.txt for pinned runtime deps). Previously the elif
branch made requirements.txt unreachable.
All four were originally raised by CodeRabbit on petry-projects/.github#87
and intentionally deferred to keep that PR no-behavior-change.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(workflows): single space before cron comment in feature-ideation stub
The canonical stub had three spaces aligning the comment after the cron
expression. Repos that run prettier in their lint chain (e.g.
google-app-scripts) hit a `prettier --check` failure on every fresh
adoption — see petry-projects/google-app-scripts#151. Bringing the
template in line with prettier defaults so future adopters don't drift.
---------
Co-authored-by: DJ <dj@Rachels-MacBook-Air.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(compliance-audit): detect stale required-check names in rulesets (#96)
* feat(compliance-audit): detect stale required-check names in rulesets
Closes #92.
Adds `check_centralized_check_names` to compliance-audit.sh. For every
non-`.github` repo in the org, fetches the active required-status-check
contexts from BOTH the new ruleset system (gh api .../rules/branches/main)
and classic branch protection (gh api .../branches/main/protection),
then flags two distinct problems:
1. Stale pre-centralization names (`claude`, `claude-issue`,
`AgentShield`, `Detect ecosystems`) — emits
`stale-required-check-<old-name>` with the canonical replacement in
the message.
2. `claude-code / claude` listed as required — emits
`required-claude-code-check-broken` because that check is
structurally incompatible with workflow-modifying PRs:
claude-code-action's GitHub App refuses to mint a token whenever
the PR diff includes a workflow file, so the check fails on every
workflow PR and the merge gate becomes a deadlock. This was the
exact root cause of the markets/bmad-bgreat-suite stuck PRs from
#87 sweep.
Tested locally with stub fixtures for all four cases (stale claude,
stale AgentShield, broken claude-code/claude, clean ruleset).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(compliance-audit): never recommend renaming claude → claude-code/claude
CodeRabbit on #96: the rename map said `claude` → `claude-code / claude`,
but a separate check correctly flags `claude-code / claude` as a forbidden
required check (it deadlocks workflow PRs). Following the rename
recommendation would have moved a repo from one broken state to another.
Fix: split the logic into two distinct sets.
1. `renames[]` — only contains checks where the new name is safe to
require (AgentShield, Detect ecosystems). These get a "rename to X"
message.
2. `forbidden_required[]` — contains every claude variant (legacy and
post-centralization). Any of them as a required check emits a
stable per-name finding telling the maintainer to REMOVE it from
required checks, not rename it.
The Claude review check still runs and surfaces feedback on normal PRs
without being a merge gate; only the required-status-checks pin is
removed.
Each forbidden_required entry maps to a stable check id so findings
don't churn across audit runs from slashes in canonical names.
Verified locally with stub fixtures for all five cases:
stale `claude` -> required-claude-check-broken
stale `claude-issue` -> required-claude-issue-check-broken
`claude-code / claude` -> required-claude-code-check-broken
stale `AgentShield` -> stale-required-check-AgentShield (rename)
clean ruleset -> 0 findings
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(compliance-audit): suffix-match forbidden Claude required checks
Address remaining CodeRabbit feedback on #96: the previous exact-match
list (`claude-code / claude`, `claude-code / claude-issue`) only caught
the canonical caller-job-id. Repos with a custo…
Adds persist-credentials: false to copilot-setup-steps.yml checkout step. Updates .gitignore to cover .dev-lead/ worktrees and CI-generated actionlint binaries. Updates standards/workflows/copilot-setup-steps.yml to match. Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
don-petry
force-pushed
the
claude/issue-291-20260515-0147
branch
from
d60b007 to
a4e7b40
Compare
Contributor
Author
Dev-Lead — rebase (no-changes)Agent reasoning |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
This was referenced Jun 11, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes three gaps that prevented Claude from automatically addressing issues raised by trusted bots and CI failures.
Fix A — Replace
check_runwithworkflow_runfor CI failurescheck_runis not a supported event type inclaude-code-action(throwsUnsupported event type: check_runon every run). Replaced withworkflow_run, which is natively supported and providespull_requests[0].numberdirectly. Fork-safety is enforced viapull_requests[0].head.repo.full_name == github.repositoryin the jobif:condition, replacing the previous runtime shell check.The
standards/workflows/claude.ymltemplate is updated to useworkflow_runwith a commented example list of workflow names. Each adopting repo must customize theworkflows:list to match their actual CI workflow names.Fix B — Add
claude-fix-pr-reviewsfor trusted bot PR reviewsWhen Copilot (
copilot-pull-request-reviewer[bot]) or Gemini (gemini-code-assist[bot]) submits a top-levelpull_request_reviewevent, no job was handling it. The newclaude-fix-pr-reviewsjob triggers onpull_request_review: submittedfrom the trusted bot allowlist, skipsAPPROVEDreviews (no action needed), and follows the same fix-threads cycle as the existingclaude-fix-review-commentsjob. Usesallowed_botsto bypass theauthor_associationguard.Fix C — Add
claude-fix-bot-commentsfor trusted external tool commentsExternal bots like
sonarqubecloud[bot]andcoderabbitai[bot]haveauthor_association: NONE, causing theclaudejob's guard to silently skip theirissue_commentevents. The newclaude-fix-bot-commentsjob handles these with an explicit bot allowlist andallowed_botsinput.Files changed
.github/workflows/claude-code-reusable.ymlclaude-ci-fixforworkflow_run; addedclaude-fix-pr-reviewsandclaude-fix-bot-commentsjobsstandards/workflows/claude.ymlpull_request_review: [submitted]andworkflow_run: [completed]; replacedcheck_run; updated header commentstandards/ci-standards.mdSecurity
allowed_botsis used with explicit named lists, not wildcardsclaude-ci-fixgates onpull_requests[0].head.repo.full_name == github.repository;claude-fix-pr-reviewsgates onpull_request.head.repo.full_name == github.repositoryRequired follow-up (per-repo)
Each repo consuming
claude.ymlmust update its.github/workflows/claude.ymlto replace thecheck_runtrigger with:Closes #291
Generated with Claude Code
Summary by CodeRabbit
Chores
Documentation