fix(compliance): 2026-05-11 audit findings for .github repo

[don-petry]

Summary

Fixes the compliance audit findings for the .github repository from the 2026-05-11 audit.

Changes in this PR

• ci.yml: Added required secret-scan job using gitleaks/gitleaks-action (fixes secret_scan_ci_job_present)
• dependency-audit.yml: Pinned dtolnay/rust-toolchain@stable to commit SHA 29eef336 (fixes unpinned-actions-dependency-audit.yml)

Applied via GitHub API (no file changes)

• CodeQL default setup: Configured via PATCH /repos/petry-projects/.github/code-scanning/default-setup (fixes codeql-default-setup-not-configured)
• Repo settings: Enabled allow_auto_merge=true and delete_branch_on_merge=true (fixes those warnings)
• Check-suite auto-trigger: Disabled for app IDs 1236702 (Claude) and 347564 (CodeRabbit) (fixes check-suite-auto-trigger-* errors)

False Positives — No Action Needed

The following findings from the audit are false positives per the Exception in ci-standards.md#exception-internal-reusable-workflow-references:

• unpinned-actions-agent-shield.yml — uses @v1 (internal reusable, exempt)
• unpinned-actions-claude.yml — uses @main (internal reusable, exempt)
• unpinned-actions-dependabot-automerge.yml — uses @v1 (internal reusable, exempt)

SHA-pinning these would cause OIDC token validation failures for Claude Code.

Stale Findings — Already Compliant

• codeowners-org-leads-not-first and codeowners-no-catchall — CODEOWNERS already has * @petry-projects/org-leads. These appear to be stale from before a recent fix.

Out of Scope (Platform Limitation)

• security_and_analysis_unavailable — token lacks admin scope to read/set security_and_analysis flags (free-plan repos). Warning only.

Closes #241

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enhanced the continuous integration pipeline with improved secret detection and scanning capabilities to strengthen security verification during the build process.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 55 minutes and 20 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 839c5ac0-efb6-490f-9d6b-d8fe2a2a52bd

📥 Commits

Reviewing files that changed from the base of the PR and between ee01ab7 and b3f4266.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

📝 Walkthrough

Walkthrough

The .github/workflows/ci.yml file is updated to replace manual gitleaks installation and execution with the official gitleaks/gitleaks-action GitHub Action. The secret-scan job now includes security-events: write permission, performs full-history checkout, and passes GITHUB_TOKEN and GITLEAKS_LICENSE environment variables to the action step.

Changes

Secret Scan Job Update

Layer / File(s)	Summary
Gitleaks Action Integration .github/workflows/ci.yml	The secret-scan job migrates from manual gitleaks installation to the pinned gitleaks/gitleaks-action, adds security-events: write permission, checks out with full history (fetch-depth: 0), and injects GITHUB_TOKEN and GITLEAKS_LICENSE environment variables to the scanning step.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Possibly related issues

• #259: This PR implements the compliance audit's requested "add secret-scan CI job" remediation by replacing manual gitleaks with the pinned gitleaks-action.
• #215: This PR addresses the compliance audit findings for "push protection & secret scanning" and "action SHA pinning" by updating the secret-scan job with a pinned GitHub Action.

Possibly related PRs

• petry-projects/.github#163: Documents the GITLEAKS_LICENSE environment variable setup required by the updated secret-scan job in this PR.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title references 'audit findings' and the PR clearly addresses compliance audit issues, but is vague about specific changes and doesn't highlight the primary technical change of adding gitleaks secret-scan job.	Consider a more specific title that references the primary change, such as 'fix(ci): add gitleaks secret-scan job for compliance audit' or 'fix: remediate 2026-05-11 audit findings with gitleaks and action pinning'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	The PR addresses several objectives from #241 including adding secret-scan CI job [#241] and pinning action SHA [#241], but does not fully remediate all category objectives within the .github repo scope.
Out of Scope Changes check	✅ Passed	All changes are directly related to compliance remediation in #241: secret-scan job addition and action pinning address specific audit findings; API-applied changes are documented and within PR scope.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-241-20260511-1243

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR remediates compliance-audit findings for the petry-projects/.github repository by adding the required CI secret scanning job and SHA-pinning an unpinned workflow action.

Changes:

• Added a secret-scan job to .github/workflows/ci.yml using gitleaks/gitleaks-action.
• Pinned dtolnay/rust-toolchain@stable to a full commit SHA in .github/workflows/dependency-audit.yml.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/ci.yml	Adds a gitleaks-based secret scanning job to satisfy the required CI secret-scan check.
.github/workflows/dependency-audit.yml	Pins dtolnay/rust-toolchain to a specific commit SHA for action pinning compliance.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

@petry-projects/org-leads — all CI checks are green and the compliance fixes are in place. This PR is ready for your review and merge.

Summary of what was fixed:

• ✅ Added secret-scan gitleaks job to ci.yml
• ✅ Pinned dtolnay/rust-toolchain@stable to SHA in dependency-audit.yml
• ✅ CodeQL default setup configured via API
• ✅ allow_auto_merge and delete_branch_on_merge enabled via API
• ✅ Check-suite auto-trigger disabled for Claude (1236702) and CodeRabbit (347564)

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[github-actions]

Auto-rebase blocked — the base branch contains .github/workflows/ changes that require the workflows permission to merge into this branch, but the auto-rebase workflow's token does not have that permission.

Please rebase this branch manually:

git fetch origin
git rebase origin/main
git push --force-with-lease

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 4ba24363e633ef3213ef44dc74d5aab3a6341e96
Review mode: triage-approved (single reviewer)

Summary

Small, focused compliance fix (+21/-1 across 2 files) addressing audit findings from #241:

• .github/workflows/ci.yml — adds a secret-scan job using gitleaks/gitleaks-action to satisfy the required CI secret-scan check.
• .github/workflows/dependency-audit.yml — pins dtolnay/rust-toolchain@stable to commit SHA 29eef336….

Remaining audit findings are addressed out-of-tree (CodeQL default setup, repo settings, check-suite auto-trigger) or documented as false positives / stale per the standards exception for internal reusable workflows.

Linked issue analysis

Closes #241 (2026-05-11 compliance audit). The PR description maps each audit finding to either an in-PR fix, an API-applied fix, a documented false positive (with link to the standards exception), or a noted platform limitation. Coverage of the issue is substantive.

Findings

None blocking. Spot checks:

• All third-party actions in the new job are SHA-pinned with version comments: actions/checkout@de0fac2e… # v6.0.2, gitleaks/gitleaks-action@ff98106e… # v2.3.9.
• New job permissions are minimal and appropriate (contents: read, security-events: write).
• GITLEAKS_LICENSE is sourced from secrets (required for org repos on gitleaks-action v2), and GITHUB_TOKEN is the standard scoped token — no secret leakage risk.
• The rust-toolchain SHA pin replaces a floating @stable tag, a strict supply-chain improvement.
• No changes to auth, credentials, migrations, or other HIGH-risk surfaces.

CI status

All checks green on the reviewed SHA:

• CodeQL Analyze (actions) — SUCCESS
• CodeQL (overall) — SUCCESS
• CodeRabbit — SUCCESS
• SonarQube Cloud quality gate — passed (0 new issues)

Note: branch is currently BEHIND main and the auto-rebase bot reported it lacks workflows permission to merge in base updates; the author will need to rebase manually before merge, but this does not affect the correctness of the change.

---

Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 83-101: The workflow contains a duplicate GitHub Actions job named
"secret-scan": keep the new gitleaks action-based job (the block starting with
the secret-scan job using gitleaks/gitleaks-action) and remove the stale
manual-install "secret-scan" job block (the earlier/manual-install variant
referenced in the review) so there is only one unique jobs: secret-scan
definition; delete the entire old manual-install secret-scan block to avoid YAML
key duplication and ensure the new action runs.
- Around line 95-101: Remove the unsupported args key from the gitleaks step and
instead pass flags and config via environment variables: delete the args: line
under the gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7
step, add env entries GITLEAKS_CONFIG: ".gitleaks.toml" to point to the existing
config file, and add GITLEAKS_ARGS: "detect --source . --redact --verbose
--exit-code 1" (preserving GITHUB_TOKEN and GITLEAKS_LICENSE) so the action
receives the same flags and loads the .gitleaks.toml allowlist and rules.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 311dcc96-b7fe-4ad9-98c8-822a38ca2bfc

📥 Commits

Reviewing files that changed from the base of the PR and between 6f46503 and ee01ab7.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# 1) Confirm gitleaks-action v2.3.9 has no `args` input.
curl -sSL "https://raw.githubusercontent.com/gitleaks/gitleaks-action/ff98106e4c7b2bc287b24eaf42907196329070c7/action.yml"

# 2) Check whether a .gitleaks.toml (or gitleaks.toml) is committed.
fd -HI -t f -a 'gitleaks\.toml$'

Repository: petry-projects/.github

Length of output: 609

---

🏁 Script executed:

#!/bin/bash
# Fetch the full action.yml and search for inputs section
curl -sSL "https://raw.githubusercontent.com/gitleaks/gitleaks-action/ff98106e4c7b2bc287b24eaf42907196329070c7/action.yml" | head -100

Repository: petry-projects/.github

Length of output: 575

---

🏁 Script executed:

#!/bin/bash
# Fetch the full action.yml without truncation
curl -sSL "https://raw.githubusercontent.com/gitleaks/gitleaks-action/ff98106e4c7b2bc287b24eaf42907196329070c7/action.yml"

Repository: petry-projects/.github

Length of output: 575

---

🏁 Script executed:

#!/bin/bash
# Check if action.yml contains an inputs section
curl -sSL "https://raw.githubusercontent.com/gitleaks/gitleaks-action/ff98106e4c7b2bc287b24eaf42907196329070c7/action.yml" | grep -i "inputs"

Repository: petry-projects/.github

Length of output: 48

---

🏁 Script executed:

#!/bin/bash
# Check the README for the action to confirm config file behavior
curl -sSL "https://raw.githubusercontent.com/gitleaks/gitleaks-action/ff98106e4c7b2bc287b24eaf42907196329070c7/README.md" | head -150

Repository: petry-projects/.github

Length of output: 7944

---

Critical: args is not a recognized input for gitleaks/gitleaks-action@v2.

The action's action.yml declares no inputs: section—configuration is taken entirely from environment variables. The args: detect --source . --redact --verbose --exit-code 1 will be silently ignored, losing flags like --redact and --verbose.

Additionally, the action auto-detects only gitleaks.toml (without dot prefix) at the repo root. A .gitleaks.toml file exists in this repo but will not be loaded; its allowlist and custom rules will be silently dropped unless explicitly set via GITLEAKS_CONFIG.

🛠 Fix — remove unsupported `args` and wire config via env

       - name: Run gitleaks
         uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
-        with:
-          args: detect --source . --redact --verbose --exit-code 1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+          GITLEAKS_CONFIG: .gitleaks.toml

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 95 - 101, Remove the unsupported args
key from the gitleaks step and instead pass flags and config via environment
variables: delete the args: line under the
gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 step, add env
entries GITLEAKS_CONFIG: ".gitleaks.toml" to point to the existing config file,
and add GITLEAKS_ARGS: "detect --source . --redact --verbose --exit-code 1"
(preserving GITHUB_TOKEN and GITLEAKS_LICENSE) so the action receives the same
flags and loads the .gitleaks.toml allowlist and rules.

[donpetry-bot]

Superseded by automated re-review at 31fc75a889b38b030c3fb1d503e98c0af93fd991 — click to expand prior review.

Review — fix requested (cycle 2/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

Superseded by automated re-review at ee01ab7.

[donpetry-bot]

Review — fix requested (cycle 3/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[don-petry]

@dev-lead - please fix this PR

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud