fix(compliance): track per-workflow version tags in stub checker

[don-petry]

Summary

• The centralized-stub checker hardcoded @v1 for all workflows, but pr-review-mention-reusable was already bumped to v2 and its standard template updated to match — the checker was never updated, causing every valid @v2 stub to be flagged as non-compliant
• Extends the centralized array format from wf:reusable to wf:reusable:version so each workflow carries its own canonical tag independently
• Marks pr-review-mention.yml as v2; all other stubs remain at v1
• Updates the ci-standards.md §10 compliance note to reference @v2

Changes

File	Change
scripts/compliance-audit.sh	Array format wf:reusable:version; per-entry expected pattern; version-aware error messages
standards/ci-standards.md	§10 compliance note: @v1 → @v2

Impact

Repos with a correct @v2 stub for pr-review-mention.yml will no longer receive a non-stub-pr-review-mention.yml finding. Repos still on @v1 or a SHA pin will continue to be flagged with an updated message pointing to @v2.

All other workflows (dev-lead, auto-rebase, agent-shield, etc.) are unaffected — they remain at v1.

Related

• Companion PR to ci: add pr-review-mention.yml caller stub .github-private#203 (adds the missing stub using @v2)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation

  • Revised CI/CD standards documentation for Tier 1 workflow stubs, providing clearer guidance on version pinning, tag management, and configuration updates for canonical reusable workflows.

• Chores

  • Strengthened compliance validation with stricter version tag verification and enhanced error messaging to identify specific workflow non-compliance issues.

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 35 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b2408ed3-fa0d-49a1-9575-85bf07e2974a

📥 Commits

Reviewing files that changed from the base of the PR and between 680929e and 6b627fe.

📒 Files selected for processing (2)

• scripts/compliance-audit.sh
• standards/ci-standards.md

📝 Walkthrough

Walkthrough

Updates centralized Tier 1 workflow stub compliance audit to validate against per-workflow canonical reusable version pins instead of hardcoded @v1. Mapping now includes explicit version tags for each workflow; pr-review-mention.yml moves to @v2. Documentation clarifies canonical pinning rationale and explicitly permits with: input tuning in stubs.

Changes

Centralized Workflow Pinning

Layer / File(s)	Summary
Centralized workflow mapping definition and validation scripts/compliance-audit.sh	Mapping data structure expanded to include expected reusable basenames with explicit version tags for each centralized workflow (including pr-review-mention.yml@v2), and validation added to require version tags in all mapping entries.
Compliance check implementation scripts/compliance-audit.sh	Compliance audit logic refactored to build canonical uses: expectation dynamically using mapped reusable basenames and version tags, with stricter regex matching anchored to the uses: directive and version-aware non-compliance messaging.
Policy documentation and pr-review-mention version update standards/ci-standards.md	CI standards documentation updated to generalize pinning rationale from @v1 to "canonical tag" framework, explicitly permit with: input tuning, and update pr-review-mention.yml stub to reference @v2 instead of @v1.

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly Related Issues

• petry-projects/ContentTwin#144: PR directly addresses the complaint that pr-review-mention was not pinned to the canonical tag by moving it to @v2 and enforcing per-workflow version validation.
• petry-projects/bmad-bgreat-suite#150: PR updates compliance checks to validate per-workflow expected reusable pins, directly addressing the issue with pr-review-mention stub's pinned version.
• petry-projects/TalkTerm#175: PR moves pr-review-mention to @v2 and requires per-workflow version validation, directly addressing the compliance finding about incorrect @v1 pinning.
• petry-projects/ContentTwin#143: PR adds per-workflow expected version validation to centralized workflow audit, addressing compliance findings about workflows not pinned to canonical tags.
• petry-projects/.github#267: PR directly addresses the pr-review-mention reusable caller/version mismatch by moving to @v2 and enforcing validation.

Possibly Related PRs

• petry-projects/.github#89: PR extends the same check_centralized_workflow_stubs audit logic introduced by the earlier PR to now validate against per-workflow canonical version pins rather than hardcoded @v1.
• petry-projects/.github#12: PR builds on the compliance audit script introduced in the referenced PR by updating the validation logic to check centralized reusable workflow uses: lines with per-workflow version pins including pr-review-mention.yml@v2.
• petry-projects/.github#87: PR tightens compliance checks and stub version requirements to validate uses: against centralized reusables, directly targeting the stub delegation pattern introduced in the referenced PR.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: extending the compliance checker to track per-workflow version tags instead of hardcoding @v1, which directly addresses the pr-review-mention.yml @v2 bump issue.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/pr-review-mention-v2-compliance

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Fixes the check_centralized_workflow_stubs compliance audit, which was hardcoding @v1 for every centralized workflow. Since pr-review-mention-reusable was already bumped to @v2 in the standard template, compliant downstream repos were being incorrectly flagged. The array of centralized workflows is extended to carry a per-entry version tag.

Changes:

• Extend centralized array entry format from wf:reusable to wf:reusable:version, parsing the third field into a version variable.
• Use ${version} in the expected uses: pattern, success comment, "why" message, and the add_finding remediation text.
• Update ci-standards.md §10 compliance note to reference @v2 for pr-review-mention-reusable.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
scripts/compliance-audit.sh	Per-workflow version tag in centralized stub checker; pr-review-mention.yml set to v2, others remain v1.
standards/ci-standards.md	§10 compliance note updated from @v1 to @v2 for pr-review-mention-reusable.yml.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 85d43badd4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[gemini-code-assist]

Code Review

This pull request updates the compliance audit script to support dynamic versioning for centralized workflow stubs, replacing the previous hardcoded @v1 requirement. The configuration array now includes a version tag for each workflow, and the pr-review-mention.yml workflow has been updated to require @v2. Feedback was provided regarding the parsing logic for the centralized array, specifically that missing version tags could lead to malformed regex patterns and incorrect audit results.

[don-petry]

@donpetry-bot - please review

[donpetry-bot]

@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes.

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 4b8204929611dddc5641d4b7af2b977e5264ad5b
Review mode: triage-approved (single reviewer)

Summary

This PR fixes a latent bug in check_centralized_workflow_stubs where the expected stub version was hardcoded to @v1, causing every valid @v2 stub for pr-review-mention.yml to be flagged as non-compliant after the reusable was bumped. The fix extends the centralized array format from wf:reusable to wf:reusable:version so each workflow carries its own canonical tag, marks pr-review-mention.yml as v2, and updates the §10 compliance note in ci-standards.md accordingly. All other workflows remain at v1.

Linked issue analysis

No linked issue. PR is a self-contained bug fix paired with the companion PR petry-projects/.github-private#203 (which adds the missing stub at @v2). Body and commit messages adequately explain motivation and scope.

Findings

• scripts/compliance-audit.sh — Array-format extension is clean; the new version parsing uses the existing IFS=':' read pattern. Regex variable interpolation is safe because version is read from a hardcoded literal array, not external input, and the regex metachars in the surrounding pattern are properly escaped (\\.). The version-aware error messages (why, add_finding) correctly propagate the per-workflow tag, so remediation guidance is actionable. ✓
• Defensive guard (commit 4b82049) — The added [ -z "$version" ] && exit 1 check addresses Gemini's reasonable concern that a malformed entry without a version field would silently produce an ...@ regex matching nothing. Fail-fast with a clear ::error:: message is the right behavior for a config-shape bug. ✓
• standards/ci-standards.md §10 — Single-line update from @v1 to @v2 is consistent with the script change. ✓
• No security-sensitive surface touched: no auth, secrets, credentials, crypto, DB migrations, or CI security primitives. ✓
• No new dependencies, no cross-module refactors. ✓

CI status

All required checks green:

• Lint, ShellCheck, Agent Security Scan, Secret scan (gitleaks) — SUCCESS
• CodeQL (actions) — SUCCESS
• SonarCloud Quality Gate — PASSED (0 new issues, 0 hotspots)
• AgentShield — SUCCESS
• Dependency audit — SUCCESS (ecosystem subjobs appropriately skipped)
• Copilot review — no comments
• Codex review — no suggestions flagged
• CodeRabbit — rate-limited (informational, not blocking)

---

Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

[don-petry]

@donpetry-bot - please review

[donpetry-bot]

@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/compliance-audit.sh`:
- Line 764: The regex is built unsafely by embedding ${version} (and possibly
${reusable}) directly into an ERE in the local expected assignment; write and
use a small escaping helper (e.g., escape_ere) that escapes ERE metacharacters
(characters like . * + ? ^ $ { } ( ) [ ] | \ ) and then replace direct uses with
escaped values (e.g., esc_version=$(escape_ere "$version") and
esc_reusable=$(escape_ere "$reusable") and then build local
expected="petry-projects/\\.github/\\.github/workflows/${esc_reusable}\\.yml@${esc_version}").
Ensure the helper is defined near other shell helpers and is POSIX/bash-friendly
(using sed or parameter expansion) so tags with dots or other metacharacters are
matched literally.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 49891779-91bb-4332-92f5-c34e3f2b0fc2

📥 Commits

Reviewing files that changed from the base of the PR and between c7104f4 and 680929e.

📒 Files selected for processing (2)

• scripts/compliance-audit.sh
• standards/ci-standards.md

[donpetry-bot]

Superseded by automated re-review at c9766e0e91ea4a7c4c68bf00b900a90b61b7851d — click to expand prior review.

Review — fix requested (cycle 2/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: c9766e0e91ea4a7c4c68bf00b900a90b61b7851d
Cascade: triage → deep (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7)

Summary

Bug fix extending compliance-audit.sh's centralized array from 'wf:reusable' to 'wf:reusable:version', correctly moving pr-review-mention.yml to @v2. All CI checks pass (Lint, ShellCheck, CodeQL, SonarCloud 0 issues, AgentShield, gitleaks, dependency audit). CodeRabbit's CHANGES_REQUESTED concerns regex metacharacter escaping for ${version}/${reusable}, but both variables are read from a hardcoded literal array with no ERE metacharacters in any current or plausible future entry (versions are simple tags like v1/v2; reusable basenames are alphanumeric+hyphen only). The second commit already adds a fail-fast guard against empty version fields. The theoretical defense-in-depth concern does not rise to a blocking defect for this PR.

Findings

• info: The ERE pattern embeds ${reusable} and ${version} without escaping metacharacters (e.g. via sed 's/[.^$*+?(){}[|\]/\&/g'). Currently safe because all values are hardcoded alphanumeric+hyphen strings with no ERE metacharacters, and a defensive guard exits on empty version. Worth documenting the invariant in a comment if new workflows with dots in their names are ever added.
• info: CodeRabbit's CHANGES_REQUESTED review (commit 680929e) has not been dismissed. The concern is the same regex escaping point above — theoretical/defense-in-depth only. No new commits have been pushed to address it, but the current codebase is correct for all existing entries. This review is blocking merge but does not reflect a genuine defect.

---

Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review.

[donpetry-bot]

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

[coderabbitai]

@don-petry I'll kick off a fresh review of the latest changes right away!

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

@donpetry-bot approve

[donpetry-bot]

@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes.

Feedback addressed in recent commits. Safe regex escaping helper implemented and documented.

[don-petry]

@donpetry-bot approve

[donpetry-bot]

@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes.