fix(standards): pin auto-rebase stub to SHA to satisfy SonarCloud security gate

scripts/compliance-audit.sh

@@ -697,14 +697,21 @@ check_ci_concurrency() {
 }
 
 # ---------------------------------------------------------------------------
-# Check: Tier 1 centralized workflows must be thin caller stubs pinned to @v1
+# Check: Tier 1 centralized workflows must be thin caller stubs using an
+# immutable SHA pin (preferred) or @v1 tag (legacy, still accepted).
 #
 # For each workflow that the org has centralized into a reusable workflow,
 # verify the downstream repo's copy is a stub that delegates via:
+#   uses: petry-projects/.github/.github/workflows/<reusable>.yml@<40-hex-SHA> # v1
+# or (legacy, still accepted):
 #   uses: petry-projects/.github/.github/workflows/<reusable>.yml@v1
 #
+# SHA-pinned references are preferred because mutable tags (@v1) are flagged
+# as Security Hotspots by SonarCloud. The canonical stub in
+# standards/workflows/ uses the SHA-pinned format.
+#
 # This prevents drift: a repo that copies the inline pre-centralization
-# version (or pins to @main, or pins to an older tag) is flagged so it
+# version (or pins to @main, or pins to an older SHA/tag) is flagged so it
 # can be re-synced from the standard. The central .github repo itself is
 # exempt because it owns the reusables and may legitimately reference
 # its own workflows by @main during release prep.
@@ -753,28 +760,34 @@ check_centralized_workflow_stubs() {
     decoded=$(echo "$content" | base64 -d 2>/dev/null || echo "")
     [ -z "$decoded" ] && continue
 
-    # Required pattern: a non-comment line whose `uses:` value is exactly
-    # petry-projects/.github/.github/workflows/<reusable>.yml@v1
-    # Anchor to start-of-line + optional indent so a `# uses: ...` comment
-    # cannot satisfy the check.
-    local expected="petry-projects/\\.github/\\.github/workflows/${reusable}\\.yml@v1"
-
-    if echo "$decoded" | grep -qE "^[[:space:]]*uses:[[:space:]]*${expected}([[:space:]]|$)"; then
-      continue  # stub is correctly pinned to @v1 — compliant
+    # Accept two canonical forms — anchor to start-of-line + optional indent so
+    # a `# uses: ...` comment cannot satisfy the check.
+    #
+    # Preferred (SHA-pinned, satisfies SonarCloud security gate):
+    #   uses: petry-projects/.github/.github/workflows/<reusable>.yml@<40-hex-SHA> [# comment]
+    # Legacy (still accepted for backwards compatibility):
+    #   uses: petry-projects/.github/.github/workflows/<reusable>.yml@v1
+    local base="petry-projects/\\.github/\\.github/workflows/${reusable}\\.yml"
+
+    if echo "$decoded" | grep -qE "^[[:space:]]*uses:[[:space:]]*${base}@[0-9a-f]{40}([[:space:]]|$)"; then
+      continue  # SHA-pinned reference to canonical reusable — compliant
+    fi
+    if echo "$decoded" | grep -qE "^[[:space:]]*uses:[[:space:]]*${base}@v1([[:space:]]|$)"; then
+      continue  # @v1 tag reference — compliant (SHA-pinned preferred; see canonical stub)
     fi
 
     # Determine why it's non-compliant for a more actionable message.
     local why
     if echo "$decoded" | grep -qE "^[[:space:]]*uses:[[:space:]]*petry-projects/\\.github/\\.github/workflows/${reusable}\\.yml@"; then
-      why="references the reusable but is not pinned to \`@v1\` (org standard)"
+      why="references the reusable but is not pinned to a full commit SHA or \`@v1\` (org standard)"
     elif echo "$decoded" | grep -qF "petry-projects/.github/.github/workflows/${reusable}"; then
       why="references the reusable but the \`uses:\` line does not match the canonical stub"
     else
       why="is an inline copy instead of a thin caller stub — re-sync from \`standards/workflows/${wf}\`"
     fi
 
     add_finding "$repo" "ci-workflows" "non-stub-$wf" "error" \
-      "Centralized workflow \`$wf\` $why. Replace with the canonical stub from \`standards/workflows/${wf}\` which delegates to \`petry-projects/.github/.github/workflows/${reusable}.yml@v1\`." \
+      "Centralized workflow \`$wf\` $why. Replace with the canonical stub from \`standards/workflows/${wf}\` which delegates to \`petry-projects/.github/.github/workflows/${reusable}.yml\` using a SHA-pinned reference (see the stub for the current SHA)." \
       "standards/ci-standards.md#centralization-tiers"
   done
 }

standards/ci-standards.md

@@ -528,7 +528,7 @@
 Without it the sentinel comment still appears but no automatic resolution will run.
 Dependabot PRs are excluded because `dependabot-rebase.yml` handles those.
 
-**Compliance:** The compliance audit (`check_centralized_workflow_stubs`) verifies that repos adopting `auto-rebase.yml` use the canonical thin caller stub delegating to `petry-projects/.github/.github/workflows/auto-rebase-reusable.yml@v1`.
+**Compliance:** The compliance audit (`check_centralized_workflow_stubs`) verifies that repos adopting `auto-rebase.yml` use the canonical thin caller stub delegating to `petry-projects/.github/.github/workflows/auto-rebase-reusable.yml` with a SHA-pinned reference (e.g. `@126c1441ee9cf040f2ce3ef0eda85d459b82f8e9 # v1`). The `@v1` mutable tag is still accepted for backwards compatibility but SHA-pinned references are preferred to satisfy SonarCloud's supply-chain security gate.
 
 ### 10. PR Review Mention (`pr-review-mention.yml`)
 

standards/workflows/auto-rebase.yml

@@ -38,5 +38,5 @@ jobs:
     permissions:
       contents: write      # update-branch via GITHUB_TOKEN (may touch .github/workflows/)
       pull-requests: write # post comments on PRs
-    uses: petry-projects/.github/.github/workflows/auto-rebase-reusable.yml@v1
+    uses: petry-projects/.github/.github/workflows/auto-rebase-reusable.yml@126c1441ee9cf040f2ce3ef0eda85d459b82f8e9 # v1
     secrets: inherit