Add Claude Code GitHub Action#15
Merged
Merged
Conversation
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 13 minutes and 12 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdded a GitHub Actions workflow Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/claude.yml (1)
4-5: Avoid duplicate auto-reviews with existing CodeRabbit automation.Given
.coderabbit.yaml(Line 4-9) already enables auto review onmain, this PR-triggered Claude run will produce duplicate bot feedback on every PR. Consider making Claude manual (@claudeonly) or adding additional gating (label/opt-in).🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/claude.yml around lines 4 - 5, The claude.yml workflow is currently triggered on pull_request (pull_request: types: [opened, reopened, synchronize]) which duplicates .coderabbit.yaml's auto-review; change claude.yml to avoid automatic PR runs by replacing the pull_request trigger with a manual trigger (workflow_dispatch) and/or a comment trigger gated to an `@claude` command (issue_comment with a conditional checking for the `@claude` phrase) or add a label opt-in gate (keep pull_request but add an if: that checks for a specific label). Update the workflow triggers and any conditional expressions so claude.yml only runs when explicitly requested (manual dispatch, `@claude` comment, or opt-in label) to prevent duplicate bot feedback with .coderabbit.yaml.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/claude.yml:
- Around line 11-13: The workflow currently allows any commenter to trigger the
run via contains(github.event.comment.body, '@claude'); tighten the if condition
by also checking the commenter's author association using
github.event.comment.author_association and only permitting trusted associations
(e.g., OWNER, MEMBER, COLLABORATOR) before allowing the secret-backed run;
update the conditional that uses contains(github.event.comment.body, '@claude')
(and the other identical occurrence) to require that
github.event.comment.author_association is one of the allowed values in addition
to the body check.
- Around line 6-13: The workflow's conditional allows the claude job to run for
any issue_comment, which includes regular issues; update the job-level if
expression (the one guarding the claude job) to require that an issue_comment
event is on a pull request by adding a check for github.event.issue.pull_request
(e.g., && github.event.issue.pull_request != null or &&
contains(toJSON(github.event.issue), 'pull_request')), so the second clause
becomes: (github.event_name == 'issue_comment' &&
github.event.issue.pull_request && contains(github.event.comment.body,
'@claude')) ensuring `@claude` on non-PR issues won't trigger the claude job.
---
Nitpick comments:
In @.github/workflows/claude.yml:
- Around line 4-5: The claude.yml workflow is currently triggered on
pull_request (pull_request: types: [opened, reopened, synchronize]) which
duplicates .coderabbit.yaml's auto-review; change claude.yml to avoid automatic
PR runs by replacing the pull_request trigger with a manual trigger
(workflow_dispatch) and/or a comment trigger gated to an `@claude` command
(issue_comment with a conditional checking for the `@claude` phrase) or add a
label opt-in gate (keep pull_request but add an if: that checks for a specific
label). Update the workflow triggers and any conditional expressions so
claude.yml only runs when explicitly requested (manual dispatch, `@claude`
comment, or opt-in label) to prevent duplicate bot feedback with
.coderabbit.yaml.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 650b1660-8a68-40cc-a167-27586048ed68
📒 Files selected for processing (1)
.github/workflows/claude.yml
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow to run the Claude Code action for automated PR reviews, triggered on PR activity and “@claude” mentions.
Changes:
- Introduces a new
.github/workflows/claude.ymlworkflow. - Runs on
pull_requestopen/reopen/synchronize andissue_comment.created, gated by anif:condition. - Passes
ANTHROPIC_API_KEYfrom repo secrets intoanthropics/claude-code-action@v1.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
4 tasks
3 tasks
don-petry
added a commit
that referenced
this pull request
Jun 20, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 20, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 20, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 20, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 20, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 20, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 20, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 20, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 20, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 20, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 20, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 20, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 20, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 20, 2026
…ub (#302) * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin dependency-audit reusable workflow to SHA (#120) Pins the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy. Closes #89 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#123) Pins agent-shield-reusable.yml@v1 to its commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: pin dependabot-automerge reusable workflow to SHA (#124) Pins `dependabot-automerge-reusable.yml@v1` to commit SHA `ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the Action Pinning Policy in ci-standards.md. Closes #87 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143) chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142) chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141) chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140) chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix: make copilot setup workflow docs-only for current TalkTerm main TalkTerm default branch currently contains docs/scripts and no lockfile, so npm setup steps fail. Switch to checkout + verify only (same docs-only pattern used in ContentTwin and bmad-bgreat-suite) until app source lands. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin dependency-audit reusable workflow to SHA (#120) Pins the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy. Closes #89 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#123) Pins agent-shield-reusable.yml@v1 to its commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: pin dependabot-automerge reusable workflow to SHA (#124) Pins `dependabot-automerge-reusable.yml@v1` to commit SHA `ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the Action Pinning Policy in ci-standards.md. Closes #87 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143) chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142) chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141) chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140) chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: update gitleaksignore aec934f comment to improved format Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: add gitleaksignore entries for commit 45b6a8e Add false-positive suppressions for SHA256 content checksums in _bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433) that are flagged by gitleaks' generic-api-key rule. These are file-content checksums, not credentials — same pattern as prior commits e8cc095 and aec934f. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Root <donpetry@users.noreply.github.com> Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 20, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
…ub (#302) * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin dependency-audit reusable workflow to SHA (#120) Pins the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy. Closes #89 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#123) Pins agent-shield-reusable.yml@v1 to its commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: pin dependabot-automerge reusable workflow to SHA (#124) Pins `dependabot-automerge-reusable.yml@v1` to commit SHA `ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the Action Pinning Policy in ci-standards.md. Closes #87 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143) chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142) chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141) chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140) chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix: make copilot setup workflow docs-only for current TalkTerm main TalkTerm default branch currently contains docs/scripts and no lockfile, so npm setup steps fail. Switch to checkout + verify only (same docs-only pattern used in ContentTwin and bmad-bgreat-suite) until app source lands. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin dependency-audit reusable workflow to SHA (#120) Pins the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy. Closes #89 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#123) Pins agent-shield-reusable.yml@v1 to its commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: pin dependabot-automerge reusable workflow to SHA (#124) Pins `dependabot-automerge-reusable.yml@v1` to commit SHA `ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the Action Pinning Policy in ci-standards.md. Closes #87 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143) chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142) chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141) chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140) chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: update gitleaksignore aec934f comment to improved format Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: add gitleaksignore entries for commit 45b6a8e Add false-positive suppressions for SHA256 content checksums in _bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433) that are flagged by gitleaks' generic-api-key rule. These are file-content checksums, not credentials — same pattern as prior commits e8cc095 and aec934f. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Root <donpetry@users.noreply.github.com> Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
…ub (#302) * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin dependency-audit reusable workflow to SHA (#120) Pins the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy. Closes #89 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#123) Pins agent-shield-reusable.yml@v1 to its commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: pin dependabot-automerge reusable workflow to SHA (#124) Pins `dependabot-automerge-reusable.yml@v1` to commit SHA `ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the Action Pinning Policy in ci-standards.md. Closes #87 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143) chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142) chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141) chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140) chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix: make copilot setup workflow docs-only for current TalkTerm main TalkTerm default branch currently contains docs/scripts and no lockfile, so npm setup steps fail. Switch to checkout + verify only (same docs-only pattern used in ContentTwin and bmad-bgreat-suite) until app source lands. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin dependency-audit reusable workflow to SHA (#120) Pins the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy. Closes #89 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#123) Pins agent-shield-reusable.yml@v1 to its commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: pin dependabot-automerge reusable workflow to SHA (#124) Pins `dependabot-automerge-reusable.yml@v1` to commit SHA `ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the Action Pinning Policy in ci-standards.md. Closes #87 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143) chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142) chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141) chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140) chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: update gitleaksignore aec934f comment to improved format Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: add gitleaksignore entries for commit 45b6a8e Add false-positive suppressions for SHA256 content checksums in _bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433) that are flagged by gitleaks' generic-api-key rule. These are file-content checksums, not credentials — same pattern as prior commits e8cc095 and aec934f. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Root <donpetry@users.noreply.github.com> Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
…564 (#271) * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #272 — Compliance: dev-lead-stub-pin (#297) * feat: implement issue #272 — Compliance: dev-lead-stub-pin * chore: apply manual instructions [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * ci(dev-lead): pin caller to @dev-lead/ring1 (staged canary) (#306) * ci(dev-lead): pin caller to @dev-lead/ring1 (staged canary ring) * fix(security): suppress gitleaks false positives for commit c5099d1 Adds .gitleaksignore fingerprints for commit c5099d1 which contains the same SHA256 content checksums in _bmad/_config/files-manifest.csv that have been documented as false positives in five prior commits. The generic-api-key rule flags high-entropy hex strings; these are file-content checksums, not credentials. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: implement issue #227 — Compliance: check-suite-auto-trigger-347564 Pin org reusable workflows to @v1 (agent-shield, dependabot-automerge, dependency-audit) and reinforce repo settings via a weekly schedule plus self-path trigger and a concurrency group on apply-repo-settings. Closes #227 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(secret-scan): suppress gitleaks false positives in commit 38e9f74 Added suppression for commit 38e9f74 which contains the same _bmad/_config/files-manifest.csv CSV rows (SHA256 checksums of BMAD skill files, not API keys) as previously-reviewed commits. Gitleaks generic-api-key rule flags high-entropy hex strings; these are file-content checksums, not credentials. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(secret-scan): suppress additional gitleaks false positive in da36d9b Commit da36d9b contains the same false-positive generic-api-key findings in _bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433) as earlier commits. These are SHA256 file-content checksums in a manifest CSV, not API keys. Adding them to .gitleaksignore to resolve the full-history gitleaks enforcement check failure. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(bot): address bot feedback [skip ci-relay] * fix(secret-scan): suppress remaining gitleaks false positives Gitleaks full-history enforcement (CLI scan) found 11 unflagged fingerprints in two commits: - f57f035: rebase/merge copy of "chore: add ECC integration, TEA module, and slim CLAUDE.md" — all 6 lines (281, 282, 284, 300, 409, 433) in _bmad/_config/files-manifest.csv were unregistered. - 3d0fa15: same commit message variant — lines 281, 282, 284, 300, 409 were missing; only line 433 had been suppressed. All findings are SHA256 content checksums in the BMAD files-manifest CSV, not real credentials. Same false-positive rationale as the previously suppressed entries above them in .gitleaksignore. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Root <donpetry@users.noreply.github.com> Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
…ub (#302) * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin dependency-audit reusable workflow to SHA (#120) Pins the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy. Closes #89 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#123) Pins agent-shield-reusable.yml@v1 to its commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: pin dependabot-automerge reusable workflow to SHA (#124) Pins `dependabot-automerge-reusable.yml@v1` to commit SHA `ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the Action Pinning Policy in ci-standards.md. Closes #87 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143) chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142) chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141) chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140) chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix: make copilot setup workflow docs-only for current TalkTerm main TalkTerm default branch currently contains docs/scripts and no lockfile, so npm setup steps fail. Switch to checkout + verify only (same docs-only pattern used in ContentTwin and bmad-bgreat-suite) until app source lands. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin dependency-audit reusable workflow to SHA (#120) Pins the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy. Closes #89 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#123) Pins agent-shield-reusable.yml@v1 to its commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: pin dependabot-automerge reusable workflow to SHA (#124) Pins `dependabot-automerge-reusable.yml@v1` to commit SHA `ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the Action Pinning Policy in ci-standards.md. Closes #87 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143) chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142) chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141) chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140) chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: update gitleaksignore aec934f comment to improved format Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: add gitleaksignore entries for commit 45b6a8e Add false-positive suppressions for SHA256 content checksums in _bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433) that are flagged by gitleaks' generic-api-key rule. These are file-content checksums, not credentials — same pattern as prior commits e8cc095 and aec934f. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Root <donpetry@users.noreply.github.com> Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
…ub (#302) * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin dependency-audit reusable workflow to SHA (#120) Pins the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy. Closes #89 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#123) Pins agent-shield-reusable.yml@v1 to its commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: pin dependabot-automerge reusable workflow to SHA (#124) Pins `dependabot-automerge-reusable.yml@v1` to commit SHA `ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the Action Pinning Policy in ci-standards.md. Closes #87 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143) chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142) chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141) chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140) chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix: make copilot setup workflow docs-only for current TalkTerm main TalkTerm default branch currently contains docs/scripts and no lockfile, so npm setup steps fail. Switch to checkout + verify only (same docs-only pattern used in ContentTwin and bmad-bgreat-suite) until app source lands. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin dependency-audit reusable workflow to SHA (#120) Pins the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy. Closes #89 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#123) Pins agent-shield-reusable.yml@v1 to its commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: pin dependabot-automerge reusable workflow to SHA (#124) Pins `dependabot-automerge-reusable.yml@v1` to commit SHA `ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the Action Pinning Policy in ci-standards.md. Closes #87 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143) chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142) chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141) chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140) chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: update gitleaksignore aec934f comment to improved format Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: add gitleaksignore entries for commit 45b6a8e Add false-positive suppressions for SHA256 content checksums in _bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433) that are flagged by gitleaks' generic-api-key rule. These are file-content checksums, not credentials — same pattern as prior commits e8cc095 and aec934f. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Root <donpetry@users.noreply.github.com> Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
…ub (#302) * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin dependency-audit reusable workflow to SHA (#120) Pins the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy. Closes #89 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#123) Pins agent-shield-reusable.yml@v1 to its commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: pin dependabot-automerge reusable workflow to SHA (#124) Pins `dependabot-automerge-reusable.yml@v1` to commit SHA `ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the Action Pinning Policy in ci-standards.md. Closes #87 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143) chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142) chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141) chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140) chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix: make copilot setup workflow docs-only for current TalkTerm main TalkTerm default branch currently contains docs/scripts and no lockfile, so npm setup steps fail. Switch to checkout + verify only (same docs-only pattern used in ContentTwin and bmad-bgreat-suite) until app source lands. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin dependency-audit reusable workflow to SHA (#120) Pins the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy. Closes #89 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#123) Pins agent-shield-reusable.yml@v1 to its commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: pin dependabot-automerge reusable workflow to SHA (#124) Pins `dependabot-automerge-reusable.yml@v1` to commit SHA `ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the Action Pinning Policy in ci-standards.md. Closes #87 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143) chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142) chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141) chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140) chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: update gitleaksignore aec934f comment to improved format Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: add gitleaksignore entries for commit 45b6a8e Add false-positive suppressions for SHA256 content checksums in _bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433) that are flagged by gitleaks' generic-api-key rule. These are file-content checksums, not credentials — same pattern as prior commits e8cc095 and aec934f. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Root <donpetry@users.noreply.github.com> Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 22, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 23, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 23, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 23, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 23, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 23, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 23, 2026
…ub (#302) * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin dependency-audit reusable workflow to SHA (#120) Pins the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy. Closes #89 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#123) Pins agent-shield-reusable.yml@v1 to its commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: pin dependabot-automerge reusable workflow to SHA (#124) Pins `dependabot-automerge-reusable.yml@v1` to commit SHA `ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the Action Pinning Policy in ci-standards.md. Closes #87 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143) chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142) chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141) chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140) chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix: make copilot setup workflow docs-only for current TalkTerm main TalkTerm default branch currently contains docs/scripts and no lockfile, so npm setup steps fail. Switch to checkout + verify only (same docs-only pattern used in ContentTwin and bmad-bgreat-suite) until app source lands. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin dependency-audit reusable workflow to SHA (#120) Pins the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy. Closes #89 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#123) Pins agent-shield-reusable.yml@v1 to its commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: pin dependabot-automerge reusable workflow to SHA (#124) Pins `dependabot-automerge-reusable.yml@v1` to commit SHA `ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the Action Pinning Policy in ci-standards.md. Closes #87 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143) chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142) chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141) chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140) chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: update gitleaksignore aec934f comment to improved format Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: add gitleaksignore entries for commit 45b6a8e Add false-positive suppressions for SHA256 content checksums in _bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433) that are flagged by gitleaks' generic-api-key rule. These are file-content checksums, not credentials — same pattern as prior commits e8cc095 and aec934f. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Root <donpetry@users.noreply.github.com> Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 23, 2026
…564 (#271) * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #272 — Compliance: dev-lead-stub-pin (#297) * feat: implement issue #272 — Compliance: dev-lead-stub-pin * chore: apply manual instructions [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * ci(dev-lead): pin caller to @dev-lead/ring1 (staged canary) (#306) * ci(dev-lead): pin caller to @dev-lead/ring1 (staged canary ring) * fix(security): suppress gitleaks false positives for commit c5099d1 Adds .gitleaksignore fingerprints for commit c5099d1 which contains the same SHA256 content checksums in _bmad/_config/files-manifest.csv that have been documented as false positives in five prior commits. The generic-api-key rule flags high-entropy hex strings; these are file-content checksums, not credentials. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: implement issue #227 — Compliance: check-suite-auto-trigger-347564 Pin org reusable workflows to @v1 (agent-shield, dependabot-automerge, dependency-audit) and reinforce repo settings via a weekly schedule plus self-path trigger and a concurrency group on apply-repo-settings. Closes #227 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(secret-scan): suppress gitleaks false positives in commit 38e9f74 Added suppression for commit 38e9f74 which contains the same _bmad/_config/files-manifest.csv CSV rows (SHA256 checksums of BMAD skill files, not API keys) as previously-reviewed commits. Gitleaks generic-api-key rule flags high-entropy hex strings; these are file-content checksums, not credentials. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(secret-scan): suppress additional gitleaks false positive in da36d9b Commit da36d9b contains the same false-positive generic-api-key findings in _bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433) as earlier commits. These are SHA256 file-content checksums in a manifest CSV, not API keys. Adding them to .gitleaksignore to resolve the full-history gitleaks enforcement check failure. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(bot): address bot feedback [skip ci-relay] * fix(secret-scan): suppress remaining gitleaks false positives Gitleaks full-history enforcement (CLI scan) found 11 unflagged fingerprints in two commits: - f57f035: rebase/merge copy of "chore: add ECC integration, TEA module, and slim CLAUDE.md" — all 6 lines (281, 282, 284, 300, 409, 433) in _bmad/_config/files-manifest.csv were unregistered. - 3d0fa15: same commit message variant — lines 281, 282, 284, 300, 409 were missing; only line 433 had been suppressed. All findings are SHA256 content checksums in the BMAD files-manifest CSV, not real credentials. Same false-positive rationale as the previously suppressed entries above them in .gitleaksignore. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Root <donpetry@users.noreply.github.com> Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 23, 2026
…ub (#302) * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin dependency-audit reusable workflow to SHA (#120) Pins the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy. Closes #89 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#123) Pins agent-shield-reusable.yml@v1 to its commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: pin dependabot-automerge reusable workflow to SHA (#124) Pins `dependabot-automerge-reusable.yml@v1` to commit SHA `ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the Action Pinning Policy in ci-standards.md. Closes #87 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143) chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142) chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141) chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140) chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix: make copilot setup workflow docs-only for current TalkTerm main TalkTerm default branch currently contains docs/scripts and no lockfile, so npm setup steps fail. Switch to checkout + verify only (same docs-only pattern used in ContentTwin and bmad-bgreat-suite) until app source lands. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #198 — [Fleet Monitor] petry-projects/TalkTerm — copilot-setup-steps.yml (#205) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Initial commit * Install BMad Method v6.2.0 with Claude Code integration Sets up BMad Method (Agile AI-Driven Development framework) with the BMM module, 36 skills and 9 agents configured for Claude Code. https://claude.ai/code/session_01VY2xiQ7rg51abGxTBCfcVj * fix: configure CodeQL to scan Python only (#6) * fix: add CodeQL workflow targeting Python only * fix: add contents:read permission for checkout step * chore: add ECC integration, TEA module, and slim CLAUDE.md - Slim CLAUDE.md from 22KB to 12KB by extracting enforcement rules into references (ECC rules installed globally via ~/.claude/rules/) - Add ECC-for-BMad integration guide (docs/ecc-for-bmad.md) - Install BMad TEA (Test Architect) module with 9 testing workflows (ATDD, automate, CI, framework, NFR, test-design, test-review, trace, teach-me-testing) plus TEA agent persona - Register TEA workflow skills in .claude/skills/ for Claude Code access - Update BMad core to v6.2.2 (restructured _bmad/ directory layout) - AgentShield security scan: Grade A (100/100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Claude Code GitHub Action (#15) * Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address OpenSSF Scorecard findings (#22) * fix: address OpenSSF Scorecard findings - Add SECURITY.md (#18) - Scope workflow token permissions to read-all with per-job overrides (#19) - Pin all GitHub Action dependencies to commit SHAs (#20) - Ensure SAST (CodeQL) runs on all push commits to main (#21) Closes #18, #19, #20, #21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments - Replace permissions: read-all with permissions: {} (deny-by-default) - Add concrete security contact email to SECURITY.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use claude_code_oauth_token instead of anthropic_api_key The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#27) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#24) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: skip Claude Code reviewer on Dependabot PRs (#28) * ci: skip Claude Code reviewer on Dependabot PRs The claude workflow fails on Dependabot PRs because secrets (CLAUDE_CODE_OAUTH_TOKEN) are not available to the dependabot actor. This blocks the dependabot auto-merge automation when claude is a required status check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: use PR author login instead of github.actor for Dependabot check github.actor reflects who triggered the workflow run (e.g. a maintainer reopening), not the PR author. Use github.event.pull_request.user.login for reliable Dependabot detection, consistent with dependabot-automerge.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: move Dependabot exclusion to step-level in Claude workflow (#30) * ci: move Dependabot exclusion to step-level in Claude workflow Move the dependabot[bot] check from job-level `if` to step-level `if` so the claude job runs and reports SUCCESS (with a skipped step) instead of being skipped entirely. A skipped job doesn't satisfy required status checks in branch protection, but a successful job with a skipped step does. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: guard step-level Dependabot check for pull_request events only The step-level if needs to handle issue_comment and pull_request_review_comment events where github.event.pull_request is not present. Use event_name guard to avoid null dereference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.82 (#26) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.80 to 1.0.82. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@094bd24...88c168b) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.88 (#34) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.83 to 1.0.88. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@bee87b3...1eddb33) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.88 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable Claude issue trigger per org CI standard (#48) Add issues:[labeled] event trigger and claude label support so Claude can work issues autonomously — reading the issue, creating a branch, implementing the fix, and opening a PR. Matches the standard defined in petry-projects/.github#24. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add checkout step to Claude workflow for issue-triggered mode (#49) The claude-code-action runs git fetch/checkout internally during branch setup but requires the repository to already be cloned on the runner. Without actions/checkout, issue-triggered runs fail with: fatal: not a git repository Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: split Claude workflow into interactive + issue automation jobs (#61) * feat: split Claude workflow into interactive + issue automation jobs Aligns with the org standard in petry-projects/.github. The claude-issue job runs in automation mode with tools to create PRs, self-review, check CI, and tag code owners when ready. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add concurrency guard and comment tools to claude-issue job - Add concurrency group keyed on issue number to prevent duplicate runs - Add gh pr comment and gh issue comment to allowedTools for review replies, thread resolution, and code owner tagging - Remove Bash(cat:*) since the Read tool already covers file reads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: switch to org-level reusable Claude Code workflow (#62) * chore: add CODEOWNERS file for code review enforcement Adds .github/CODEOWNERS assigning @don-petry as default code owner for all files, satisfying the compliance requirement for code owner review enforcement on pull requests. Closes #47 Co-authored-by: don-petry <don-petry@users.noreply.github.com> * fix: rename codeql workflow and add javascript-typescript + actions matrix (#81) - Rename codeql-analysis.yml → codeql.yml (compliance: exact filename required) - Replace Python with javascript-typescript (matches TalkTerm stack) - Add actions language scan (required: repo has .github/workflows/*.yml) - Use matrix strategy for multi-language scanning per ci-standards.md - Update schedule to Friday 17:00 UTC per org standard Closes #41 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> * chore(workflows): adopt centralized stubs from petry-projects/.github (#82) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: correct reusable workflow path (remove duplicate .github/) (#135) fix: correct reusable workflow path (remove duplicate .github/ segment) Changed: petry-projects/.github/.github/workflows/... To: petry-projects/.github/workflows/... Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * Revert "fix: correct reusable workflow path (remove duplicate .github/) (#135)" This reverts commit 2f121a1. * ci: add auto-rebase workflow and check_run trigger to claude.yml * add check_run trigger to claude.yml * add auto-rebase.yml workflow * chore(ci): remove stray codeql.yml workflow (#115) The org now uses GitHub-managed CodeQL default setup. The per-repo codeql.yml was drift and ran a duplicate analysis alongside default setup. Removing it per the org standard. Closes #96 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(security): remove drift codeql.yml, enable GitHub-managed default setup (#117) Per org CI standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. Per-repo codeql.yml files are treated as drift by the compliance audit. Actions taken: - Removed .github/workflows/codeql.yml (drift per-repo advanced setup) - Re-confirmed default setup via API: state=configured, query_suite=default The GitHub-managed default setup is already running CodeQL scans. The compliance audit 403 is a PAT scope issue in the audit bot (needs Administration:read scope on the audit bot token in petry-projects/.github). Closes #95 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin dependency-audit reusable workflow to SHA (#120) Pins the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy. Closes #89 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#123) Pins agent-shield-reusable.yml@v1 to its commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to comply with the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: pin dependabot-automerge reusable workflow to SHA (#124) Pins `dependabot-automerge-reusable.yml@v1` to commit SHA `ee22b427cbce9ecadcf2b436acb57c3adf0cb63d` to satisfy the Action Pinning Policy in ci-standards.md. Closes #87 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(ci): pin agent-shield reusable workflow to SHA (#126) Pins agent-shield-reusable.yml@v1 to its full commit SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) to satisfy the org-wide action-pinning policy. Closes #85 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: add bot accounts to CODEOWNERS for auto-merge support * chore: standardize CODEOWNERS on @petry-projects/org-leads (#160) Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#143) chore(deps): bump petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#142) chore(deps): bump petry-projects/.github/.github/workflows/dependency-audit-reusable.yml Bumps [petry-projects/.github/.github/workflows/dependency-audit-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#141) chore(deps): bump petry-projects/.github/.github/workflows/agent-shield-reusable.yml Bumps [petry-projects/.github/.github/workflows/agent-shield-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/agent-shield-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db (#140) chore(deps): bump petry-projects/.github/.github/workflows/feature-ideation-reusable.yml Bumps [petry-projects/.github/.github/workflows/feature-ideation-reusable.yml](https://github.com/petry-projects/.github) from ee22b427cbce9ecadcf2b436acb57c3adf0cb63d to 0bba48104323486ac3b003ba3eba0ef747d9a7db. - [Commits](petry-projects/.github@ee22b42...0bba481) --- updated-dependencies: - dependency-name: petry-projects/.github/.github/workflows/feature-ideation-reusable.yml dependency-version: 0bba48104323486ac3b003ba3eba0ef747d9a7db dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> * chore(dev-lead): remove claude.yml — replaced by dev-lead.yml (#176) * feat: implement issue #162 — Compliance: codeowners-no-catchall (#182) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #175 — Compliance: non-stub-pr-review-mention.yml (#185) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #148 — Compliance: non-stub-dependency-audit.yml (#195) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #149 — Compliance: non-stub-dependabot-automerge.yml (#193) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #150 — Compliance: non-stub-agent-shield.yml (#192) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #151 — Compliance: non-stub-feature-ideation.yml (#190) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #161 — Compliance: codeowners-org-leads-not-first (#189) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #200 — [Fleet Monitor] petry-projects/TalkTerm — dev-lead.yml (#202) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: implement issue #86 — Compliance: unpinned-actions-claude.yml (#196) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * feat: implement issue #163 — Compliance: check-suite-auto-trigger-1236702 (#206) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * rollout: deploy pr-review-mention standard workflow (#236) * rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * chore: sync 6 org-standard workflow stub(s) from petry-projects/.github * fix(ci): auto-fix for SonarCloud Code Analysis [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * feat: implement issue #217 — Compliance: codeowners-org-leads-not-first (#270) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: update gitleaksignore aec934f comment to improved format Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: add gitleaksignore entries for commit 45b6a8e Add false-positive suppressions for SHA256 content checksums in _bmad/_config/files-manifest.csv (lines 281, 282, 284, 300, 409, 433) that are flagged by gitleaks' generic-api-key rule. These are file-content checksums, not credentials — same pattern as prior commits e8cc095 and aec934f. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Root <donpetry@users.noreply.github.com> Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 23, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 23, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
added a commit
that referenced
this pull request
Jun 23, 2026
* Add Claude Code GitHub Action for PR reviews * fix: address review feedback on Claude Code workflow - Restrict issue_comment trigger to PR comments only - Add author-association check (OWNER/MEMBER/COLLABORATOR) - Add pull_request_review_comment trigger - Add timeout-minutes to prevent runaway jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use CLAUDE_CODE_OAUTH_TOKEN org secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add id-token: write permission for OAuth auth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address remaining review comments - Pin claude-code-action to commit SHA for supply-chain safety - Add fork PR guard (secrets unavailable for fork PRs) - Scope pull_request trigger to main branch - Use >- folded scalar for if expression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: DJ <dj@Rachels-Air.localdomain> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ANTHROPIC_API_KEYsecret to be configured in repo settingsSetup Required
ANTHROPIC_API_KEYas a repository secret (Settings → Secrets and variables → Actions)🤖 Generated with Claude Code
Summary by CodeRabbit