fix(compliance): add CLAUDE.md and dependabot.yml

[don-petry]

Summary

• Adds CLAUDE.md with required AGENTS.md reference (fixes claude-md-missing-agents-ref)
• Adds .github/dependabot.yml with github-actions ecosystem, security and dependencies labels (fixes missing-github-actions-ecosystem, missing-security-label, missing-dependencies-label)

Compliance findings addressed

Finding	Severity	Status
claude-md-missing-agents-ref	error	✅ Fixed
missing-github-actions-ecosystem	error	✅ Fixed
missing-security-label	warning	✅ Fixed
missing-dependencies-label	warning	✅ Fixed

Remaining findings requiring human action

The following findings for .github-private require elevated permissions not available to this agent:

• Workflow files (missing-ci.yml, missing-pr-review-mention.yml, non-stub-auto-rebase.yml, non-stub-dependabot-automerge.yml, non-stub-agent-shield.yml) — require workflows write permission
• SHA pinning in workflow files (unpinned-actions-*) — require workflows write permission
• Repository settings (allow_auto_merge, delete_branch_on_merge, check-suite-auto-trigger-*) — run bash scripts/apply-repo-settings.sh .github-private with admin credentials
• Secret scanning settings — run bash scripts/apply-repo-settings.sh .github-private

Part of petry-projects/.github#261

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated internal project documentation and configuration guidelines.

[coderabbitai]

Warning

Review limit reached

@don-petry, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 1 review/hour. Refill in 59 minutes and 49 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 169c921b-39c2-486f-90a4-19ec36942e0b

📥 Commits

Reviewing files that changed from the base of the PR and between b34e302 and 2508628.

📒 Files selected for processing (2)

• .github/dependabot.yml
• CLAUDE.md

📝 Walkthrough

Walkthrough

Added CLAUDE.md with repository-specific Claude Code guidance, directing agents to org-wide standards in AGENTS.md, defining the .github-private repository's purpose and structure, and establishing operational rules for shell script editing and GitHub Actions SHA pinning.

Changes

Repository Development Guidance for Claude Code

Layer / File(s)	Summary
Claude Code repository guidance CLAUDE.md	New file establishes development standards for Claude Code usage in .github-private, references org-wide AGENTS.md standards, documents repository contents (agents, scripts, workflows), and defines operational rules: shell scripts must pass shellcheck and GitHub Actions must pin SHAs via GitHub API lookup.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related issues

• Compliance: unpinned-actions-claude.yml .github#105: CLAUDE.md guidance on pinning action SHAs directly addresses the unpinned-action finding for claude.yml.
• Compliance audit — 2026-05-08 .github#215: Added CLAUDE.md in .github-private matches the requested documentation update to CLAUDE.md/AGENTS.md.
• Compliance audit — 2026-05-12 .github#261: CLAUDE.md addition with action SHA pinning and workflow practices guidance directly addresses compliance audit findings.
• Compliance audit — 2026-05-12 .github#250: Both changes modify .github-private/CLAUDE.md, adding AGENTS.md reference and action SHA pinning guidance.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title references both CLAUDE.md and dependabot.yml, but the raw summary only documents CLAUDE.md changes; dependabot.yml is not mentioned or summarized.	Either update the title to reflect only the documented changes (e.g., 'fix(compliance): add CLAUDE.md'), or confirm that dependabot.yml changes are included and ensure they are documented in the summary.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-261-compliance

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a Dependabot configuration for GitHub Actions and a CLAUDE.md file to provide context and guidelines for Claude Code. The review feedback suggests bundling Dependabot updates into groups to reduce noise, expanding the repository purpose section to include missing directories, and adding a commands section for common tasks like shell script linting.

[gemini-code-assist]

The "Repository Purpose" section is missing the prompts/ and frameworks/ directories, which are key components of this repository as described in the README.md and AGENTS.md. Including them provides essential context for the agent's understanding of the project structure.

Suggested change

	- **`agents/`** — Copilot custom agent profiles (org-wide, invocable from GitHub.com, VS Code, JetBrains)
	- **`scripts/`** — Shell orchestration for GitHub Actions (PR review, health checks)
	- **`.github/workflows/`** — Scheduled automation (PR review, health checks, dependency audit)
	- **`agents/`** — Copilot custom agent profiles (org-wide, invocable from GitHub.com, VS Code, JetBrains)
	- **`prompts/`** — Prompt libraries used by workflows
	- **`scripts/`** — Shell orchestration for GitHub Actions (PR review, health checks)
	- **`frameworks/`** — Installed agentic frameworks (git subtree)
	- **`.github/workflows/`** — Scheduled automation (PR review, health checks, dependency audit)

[gemini-code-assist]

CLAUDE.md files are most effective for Claude Code when they include a "Commands" section for common tasks like linting. This allows the agent to verify its work autonomously using the tools mentioned in the guidelines.

Suggested change

	## Key Guidelines
	- This repo contains shell scripts executed by GitHub Actions — test changes locally with `shellcheck`
	- Workflow files here are non-stub (not thin callers) — they contain org-private automation logic
	- SHAs for action pinning must be looked up via the GitHub API — never guessed
	## Key Guidelines
	- This repo contains shell scripts executed by GitHub Actions — test changes locally with `shellcheck`
	- Workflow files here are non-stub (not thin callers) — they contain org-private automation logic
	- SHAs for action pinning must be looked up via the GitHub API — never guessed
	## Commands
	- Lint shell scripts: `shellcheck scripts/*.sh`

[Copilot]

Pull request overview

Adds missing compliance artifacts for this org-level .github-private repository: Claude Code instructions and Dependabot configuration for GitHub Actions updates.

Changes:

• Add CLAUDE.md with a reference to AGENTS.md and repository-specific guidance.
• Add .github/dependabot.yml to enable weekly GitHub Actions dependency updates with security and dependencies labels.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
CLAUDE.md	Adds Claude Code repo instructions and points contributors to AGENTS.md standards.
.github/dependabot.yml	Enables Dependabot for the github-actions ecosystem with standard labels.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[donpetry-bot]

Superseded by automated re-review at 881d6da3448bdc81863695ad5150975e4723e9d2 — click to expand prior review.

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[donpetry-bot]

Superseded by automated re-review at 5e0577b6e6511b9b3ebe4d5b2bbee79f622d5f5a — click to expand prior review.

Review — fix requested (cycle 2/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[donpetry-bot]

Review — fix requested (cycle 3/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[donpetry-bot]

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

[don-petry]

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning

Issues addressed: 0
Files changed: none
Skipped (informational): 0
No action required. The SonarQube quality gate passed with 0 new issues,
0 security hotspots, and 0 duplications. The changed files (.github/dependabot.yml,
CLAUDE.md) contain no SonarQube hotspot patterns. There are no open review threads
from sonarqubecloud[bot] to resolve. No Tier 1 CI blockers exist.
```

[donpetry-bot]

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

[don-petry]

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning

Issues addressed: 0
Files changed: none
Skipped (informational): 0
```
**Assessment:** The Quality Gate passed with 0 new issues and 0 security hotspots. There are no open review threads from `sonarqubecloud[bot]` to resolve. The two changed files (`CLAUDE.md` and `.github/dependabot.yml`) contain no SonarQube hotspot patterns (no `curl | bash`, no hardcoded credentials, no insecure downloads). All CI checks are green and no review is in `CHANGES_REQUESTED` state, so there are zero Tier 1 blockers. No action is required.

[don-petry]

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning

Issues addressed: 0
Files changed: none
Skipped (informational): 0
```
**Assessment:** The SonarQube quality gate passed with 0 new issues, 0 security hotspots, and 0 duplications. There are no Tier 1 CI blockers (all checks completed with `success` or `skipped`) and no `CHANGES_REQUESTED` reviews. The two changed files (`CLAUDE.md` and `.github/dependabot.yml`) contain no SonarQube hotspot patterns (no `curl|bash`, no hardcoded secrets, no `eval`/`exec`, no HTTP URLs). There are also no open unresolved threads from this bot to resolve. No changes are required.

[don-petry]

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning

Issues addressed: 0
Files changed: none
Skipped (informational): 0
Notes: Quality Gate passed — 0 new issues, 0 security hotspots, 0 duplication.
No open review threads from sonarqubecloud[bot] exist. No SonarQube hotspot
patterns (curl|bash, hardcoded credentials, eval with user input, HTTP URLs)
found in the PR's changed files (.github/dependabot.yml, CLAUDE.md).
No Tier 1 blockers present (all CI checks green, no CHANGES_REQUESTED reviews).
No action required.
```

[donpetry-bot]

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

[don-petry]

@dev-lead please re-check this PR — re-triggering after the dev-lead/pr-review workflows were briefly disabled.

[donpetry-bot]

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

[don-petry]

PR Review — fix(compliance): add CLAUDE.md and dependabot.yml

Overview

This PR adds two compliance artifacts for the .github-private repo:

1. CLAUDE.md (new) — Claude Code context file
2. .github/dependabot.yml (updated) — restructured and extended with required labels and grouping

Both changes are focused and purposeful, addressing four documented compliance findings.

---

CLAUDE.md — New File ✅

• Correctly references AGENTS.md — satisfies the claude-md-missing-agents-ref finding
• Repository purpose section is complete — lists agents/, prompts/, scripts/, frameworks/, and .github/workflows/, consistent with AGENTS.md and README.md
• Key guidelines accurately distinguish thin-caller stubs from org-private workflows — the bullet correctly names claude.yml, agent-shield.yml, auto-rebase.yml, dependabot-automerge.yml as stubs and notes that others contain private logic. This matches the note in AGENTS.md about not modifying agent-shield.yml and the dev-lead.yml distinction
• Commands section includes shellcheck scripts/*.sh — appropriate, matches the project's linting practice
• SHA pinning note is consistent with the project's policy against guessing SHAs

One observation: CLAUDE.md lists frameworks/ as "Installed agentic frameworks (git subtree)" but the current AGENTS.md also lists bmad-method, spec-kit, gsd by name. Not a blocker — the CLAUDE.md description is accurate enough for Claude Code's purposes.

---

.github/dependabot.yml — Restructured ✅

Key improvements over the previous version:

• version: 2 moved to the top — the old file had it at the bottom, which is technically valid but non-canonical; top placement is the dependabot spec convention
• YAML indentation regularized — consistent 2-space indentation under updates:
• security and dependencies labels added — fixes missing-security-label and missing-dependencies-label findings
• groups: block added — bundles all action updates into a single PR, reducing CI noise; this addresses the Gemini reviewer feedback from earlier in the thread
• ignore: for github/gh-aw-actions/* preserved — the lock comment explaining the gh-aw compiler version-lock is retained

No functional regressions: the github-actions ecosystem, / directory, weekly schedule, and 10 PR limit are all preserved.

---

Previous Reviewer Feedback — Status

Reviewer	Comment	Status
Gemini	Add groups: to bundle action updates	✅ Addressed — groups.actions with "*" pattern present
Gemini	List prompts/ and frameworks/ in CLAUDE.md	✅ Addressed — both are listed
Gemini	Add Commands section to CLAUDE.md	✅ Addressed — shellcheck scripts/*.sh present
Copilot	Clarify thin-caller vs. non-stub distinction	✅ Addressed — current wording correctly names stubs and distinguishes from private logic workflows
CodeRabbit	—	✅ Approved (2026-06-06)

---

Test / Lint Verification

• shellcheck on scripts/*.sh: only pre-existing SC1091 (info, source-following) and SC2016 (info, single-quote expansion) notices — none introduced by this PR, no errors or warnings
• No shell scripts modified; both changed files are YAML and Markdown — no additional test surface

---

Verdict

Looks good. Both files are correct, complete, and consistent with AGENTS.md standards. All four compliance findings are addressed, all previous reviewer feedback has been incorporated, and no regressions are introduced. The remaining findings listed in the PR description (workflow files, SHA pinning, repo settings, secret scanning) appropriately require elevated permissions and are correctly deferred to human action.

Note: Cannot self-approve — this PR was opened by the same bot account. A human reviewer from org-leads should provide the required approval.

[don-petry]

Dev-Lead — on-mention (no-changes)

Engine ran but made no changes.

[donpetry-bot]

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

[don-petry]

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning

Issues addressed: 0
Files changed: none
Skipped (informational): 0
Notes:
- SonarCloud Quality Gate passed with 0 new issues, 0 security hotspots,
  0.0% duplication on new code — nothing actionable.
- All CI checks are success or skipped; no CHANGES_REQUESTED reviews.
- No open review threads from sonarqubecloud[bot] to resolve.
- PR diff contains only .github/dependabot.yml (YAML restructure) and
  CLAUDE.md (new Markdown file) — neither file introduces hotspot patterns
  (curl|bash, hardcoded credentials, eval with user input, HTTP downloads).
- No code changes required.
```

[don-petry]

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning

Issues addressed: 0
Files changed: none
Skipped (informational): 0
Quality Gate: passed — 0 new issues, 0 security hotspots, 0 duplications on new code.
No Tier 1 blockers exist (all CI checks pass or skipped; no CHANGES_REQUESTED reviews).
No open threads from sonarqubecloud[bot] to resolve.
PR diff contains only YAML and Markdown — no hotspot-prone code patterns present.
No action required.
```

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[donpetry-bot]

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

[don-petry]

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning

Issues addressed: 0
Files changed: none
Skipped (informational): 0
No-changes declaration: valid.
  - Quality Gate passed: 0 new issues, 0 security hotspots
  - No open review threads from sonarqubecloud[bot] to resolve
  - PR diff contains only YAML and Markdown — no hotspot-eligible code patterns
  - Zero Tier 1 blockers (CI: all success/skipped; reviews: no CHANGES_REQUESTED)
```