fix(compliance-audit): suppress gh_api stdout on failure to fix false CODEOWNERS positive

[don-petry]

Summary

• Fixes a false positive codeowners-org-leads-not-first compliance finding in scripts/compliance-audit.sh
• The gh_api() retry wrapper was forwarding gh api stdout unconditionally — including the error JSON body emitted on a 404 response
• Callers like check_codeowners() received concatenated 404 JSON blobs instead of an empty string, making found=true for a missing file and treating the error JSON as CODEOWNERS content
• Fix: capture output into a variable and only echo it when exit code is 0

The CODEOWNERS file at .github/CODEOWNERS was already correct (* @petry-projects/org-leads); no CODEOWNERS change is needed.

Test plan

• Re-run the compliance audit against this repo after merge — the codeowners-org-leads-not-first finding should be absent
• Verify all other gh_api call sites are unaffected (callers that use || echo "" or redirect stdout to /dev/null still work correctly)

Closes #208

Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Made the compliance audit script more reliable: command output is now consistently captured and returned, with retries preserved on failure to improve audit result consistency.
• Chores
  • Added new ignore patterns to the repository configuration.

[coderabbitai]

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 01efbb01-34e6-4ba4-b487-063cf4875c4d

📥 Commits

Reviewing files that changed from the base of the PR and between 6976ebb and 2934688.

📒 Files selected for processing (2)

• .gitignore
• scripts/compliance-audit.sh

---

📝 Walkthrough

Walkthrough

The PR captures gh api "$@" stdout in the compliance audit script's gh_api retry wrapper and echoes it on successful calls; it also adds duplicate .dev-lead/ entries to .gitignore.

Changes

Compliance audit script and ignore list edits

Layer / File(s)	Summary
gh_api wrapper output capture fix scripts/compliance-audit.sh	The retry loop stores gh api "$@" stdout into output, checks the exit code separately, and on success echoes the captured output before returning 0.
Duplicate .dev-lead/ ignore entries .gitignore	Appends repeated .dev-lead/ ignore lines (duplicate entries added).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Compliance: codeowners-org-leads-not-first google-app-scripts#254: Related because it involves gh_api retry/stdout handling and could be affected by how the compliance-audit script reports 404/403 responses.

Possibly related PRs

• petry-projects/.github#221: Addresses the same gh_api retry/stdout handling and related response reporting.
• petry-projects/.github#12: Earlier updates to scripts/compliance-audit.sh refining gh_api retry/error handling.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The .gitignore change adding .dev-lead/ patterns appears unrelated to the stated objective of fixing the false CODEOWNERS positive in the compliance audit script.	Clarify the purpose of the .gitignore changes or remove them if unrelated to issue #208. If they are necessary, explain their connection to the compliance audit fix.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the primary fix: suppressing gh_api stdout on failure to resolve a false CODEOWNERS compliance positive.
Linked Issues check	✅ Passed	The PR directly addresses issue #208 by fixing the gh_api retry wrapper to capture and conditionally output stdout, preventing error JSON from being misinterpreted as CODEOWNERS content.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-208-20260508-1408

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@petry-projects/org-leads — this PR is ready for review and merge. It fixes a false positive in the compliance audit script.

[Copilot]

Pull request overview

This PR updates the gh_api() retry wrapper in scripts/compliance-audit.sh to prevent gh api stdout (including error JSON bodies from failed requests like 404s) from being forwarded to callers, which previously caused false positives in checks like check_codeowners().

Changes:

• Capture gh api output inside gh_api() and only emit it when the command succeeds (exit code 0).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: a191bfcfa6fc014ce4d88ea3ba70860a890233d4
Review mode: triage-approved (single reviewer)

Summary

Single-line CI workflow change pinning petry-projects/.github/.github/workflows/agent-shield-reusable.yml from the mutable @v1 tag to the exact commit SHA 0cb4bba11d7563bf197ad805f12fb8639e4879e4, with the # v1 human-readable comment retained and the with: required-files: AGENTS.md input preserved. Verified via gh api repos/petry-projects/.github/git/refs/tags/v1 that the pinned SHA matches the actual commit currently behind the v1 tag. Conforms to the org action-pinning policy and follows the same pattern as the recently merged #127 (auto-rebase-reusable.yml SHA pin).

Linked issue analysis

Closes #114 — a compliance-audit finding for unpinned-actions-agent-shield.yml flagging that agent-shield.yml had 1 action not pinned to SHA. The PR addresses exactly that line; no other unpinned references remain in this workflow.

Findings

No issues found.

• SHA pin verified against upstream tag v1 (matches 0cb4bba11d7563bf197ad805f12fb8639e4879e4).
• Repo-specific with: inputs preserved unchanged.
• No secrets, permissions, or trigger surface modified.
• Pre-existing missing trailing newline on the file is unchanged by this PR; out of scope.

CI status

All required checks green: AgentShield, Claude Code, CodeQL (Analyze actions), Dependency audit (ecosystem detect), SonarCloud / SonarCloud Code Analysis (Quality Gate passed, 0 new issues), CodeRabbit. Dependabot auto-merge and ecosystem-specific audit jobs correctly skipped (no matching ecosystems / not a Dependabot PR). CodeRabbit posted a rate-limit notice but its status check reports SUCCESS; gemini-code-assist skipped due to unsupported file type. Mergeable: yes; merge state BLOCKED only on the required human review.

---

Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

[don-petry]

Dev-Lead — fix-bot-comment (applied)

Changes committed and pushed.

[don-petry]

Dev-Lead — review-changes (applied)

Changes committed and pushed.

[don-petry]

Dev-Lead — review-changes (applied)

Changes committed and pushed.

[don-petry]

Dev-Lead — review-changes (applied)

Changes committed and pushed.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/compliance-audit.sh`:
- Around line 1088-1090: The add_finding call that reports the missing
`.github/copilot-instructions.md` uses severity "warning" but should be "error";
update the add_finding invocation that has identifier
"missing-copilot-instructions" (the call starting with add_finding "$repo"
"standards" "missing-copilot-instructions") to use "error" instead of "warning"
so the finding is emitted as an error; keep the rest of the parameters (title,
description, reference) unchanged and ensure the message still references
`standards/copilot-instructions-standard.md`.
- Around line 1242-1261: The case branch handling remediation for workflow
findings is using the label "workflows)" but findings are emitted as
"ci-workflows"; update the case pattern in the switch that checks case
"$category" to match "ci-workflows)" (or include an alternative pattern like
"workflows|ci-workflows)") so workflow findings map to the specific
remediation_steps block (refer to the case "$category" switch and the existing
"workflows)" branch to locate and modify the label).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 01efbb01-34e6-4ba4-b487-063cf4875c4d

📥 Commits

Reviewing files that changed from the base of the PR and between 6976ebb and 2934688.

📒 Files selected for processing (2)

• .gitignore
• scripts/compliance-audit.sh

[coderabbitai]

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/compliance-audit.sh`:
- Around line 1088-1090: The add_finding call that reports the missing
`.github/copilot-instructions.md` uses severity "warning" but should be "error";
update the add_finding invocation that has identifier
"missing-copilot-instructions" (the call starting with add_finding "$repo"
"standards" "missing-copilot-instructions") to use "error" instead of "warning"
so the finding is emitted as an error; keep the rest of the parameters (title,
description, reference) unchanged and ensure the message still references
`standards/copilot-instructions-standard.md`.
- Around line 1242-1261: The case branch handling remediation for workflow
findings is using the label "workflows)" but findings are emitted as
"ci-workflows"; update the case pattern in the switch that checks case
"$category" to match "ci-workflows)" (or include an alternative pattern like
"workflows|ci-workflows)") so workflow findings map to the specific
remediation_steps block (refer to the case "$category" switch and the existing
"workflows)" branch to locate and modify the label).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 01efbb01-34e6-4ba4-b487-063cf4875c4d

📥 Commits

Reviewing files that changed from the base of the PR and between 6976ebb and 2934688.

📒 Files selected for processing (2)

• .gitignore
• scripts/compliance-audit.sh

🛑 Comments failed to post (2)

scripts/compliance-audit.sh (2)

1088-1090: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing Copilot instructions should be reported as error severity, not warning.

At Line 1088, the finding is emitted as "warning" even though the policy text says every repository must have this file. This under-reports a mandatory compliance breach.

Suggested fix

-    add_finding "$repo" "standards" "missing-copilot-instructions" "warning" \
+    add_finding "$repo" "standards" "missing-copilot-instructions" "error" \

Based on learnings: Applies to .github/copilot-instructions.md : Every repository MUST have its own .github/copilot-instructions.md file tailored to the repo.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

    add_finding "$repo" "standards" "missing-copilot-instructions" "error" \
      "Missing \`.github/copilot-instructions.md\`. Every repo must have its own Copilot instructions file — Copilot instruction files are repository-scoped and do not propagate from the \`petry-projects/.github\` repo. Copy the canonical template from \`standards/copilot-instructions-standard.md\` in \`petry-projects/.github\`, then tailor it with this repo's specific tech stack, project structure, local dev commands, required environment variables, and testing configuration." \
      "standards/copilot-instructions-standard.md"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/compliance-audit.sh` around lines 1088 - 1090, The add_finding call
that reports the missing `.github/copilot-instructions.md` uses severity
"warning" but should be "error"; update the add_finding invocation that has
identifier "missing-copilot-instructions" (the call starting with add_finding
"$repo" "standards" "missing-copilot-instructions") to use "error" instead of
"warning" so the finding is emitted as an error; keep the rest of the parameters
(title, description, reference) unchanged and ensure the message still
references `standards/copilot-instructions-standard.md`.

---

1242-1261: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Category key mismatch breaks remediation mapping for workflow findings.

At Line 1253, case "$category" uses workflows), but findings are emitted as ci-workflows throughout this file. Workflow findings will always hit the default branch and lose the tailored remediation steps.

Suggested fix

-    workflows)
+    ci-workflows)
       remediation_steps="Copy the relevant workflow template from \`standards/workflows/\` verbatim — do not generate from scratch:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/compliance-audit.sh` around lines 1242 - 1261, The case branch
handling remediation for workflow findings is using the label "workflows)" but
findings are emitted as "ci-workflows"; update the case pattern in the switch
that checks case "$category" to match "ci-workflows)" (or include an alternative
pattern like "workflows|ci-workflows)") so workflow findings map to the specific
remediation_steps block (refer to the case "$category" switch and the existing
"workflows)" branch to locate and modify the label).

[don-petry]

Dev-Lead — review-changes (applied)

Changes committed and pushed.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.