ci(dev-lead): pin caller to @dev-lead/ring1 (staged canary)

[don-petry]

Part of the staged canary rollout of dev-lead v1.4.0.

Pins TalkTerm's dev-lead caller to the dev-lead/ring1 channel (ring 1 of the staged promotion per versioning.md Phase 2). dev-lead/ring1 → dev-lead/v1.4.0.

Also normalizes the pin from a frozen SHA to the moving channel tag form, which is the intended caller contract (rollout/rollback = a central tag move, never a caller edit).

Ring order: .github-private→next · petry-projects/.github→ring0 · TalkTerm→ring1 · rest→stable (unchanged). A companion PR in petry-projects/.github teaches the compliance audit to accept ring channels.

🤖 Generated with Claude Code

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 15 minutes and 54 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ad38754c-4f79-46ec-be82-39f678622cb1

📥 Commits

Reviewing files that changed from the base of the PR and between 6c8bc1c and a27accc.

📒 Files selected for processing (2)

• .github/workflows/dev-lead.yml
• .gitleaksignore

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/dev-lead-canary-ring1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

CI Failure: SonarCloud Code Analysis

Step: SonarCloud Code Analysis (security quality gate)
Root cause: Lint/style

SonarCloud flagged a high severity security finding in .github/workflows/dev-lead.yml at line 51: the PR replaced a pinned commit SHA (3f9e5808b5f3965c96f5698b0d8ff46550b45ba7) with a mutable channel tag (dev-lead/ring1) for the reusable workflow reference. Mutable tags can be silently redirected to arbitrary commits, making this a supply chain attack vector (CWE-829). SonarCloud enforces that external GitHub Actions/workflows must always be pinned to a full commit SHA.

Suggested fix: Replace the uses: line with the full commit SHA that dev-lead/ring1 currently resolves to — e.g., uses: petry-projects/.github-private/.github/workflows/dev-lead-reusable.yml@<full-sha> # dev-lead/ring1 — so the caller is immutably pinned while the comment preserves the human-readable channel name.

View run logs

[don-petry]

Dev-Lead — review-changes (applied)

Changes committed and pushed.

[donpetry-bot]

Advisory bots were rate-limited; auto-approval is withheld until they recover. pr-review-sweep will re-review this PR after 2026-06-21T03:26:40Z.

[github-actions]

CI Failure: SonarCloud Code Analysis

Step: SonarCloud Quality Gate
Root cause: Lint/style

The PR changed .github/workflows/dev-lead.yml to reference a mutable branch tag (dev-lead/ring1) instead of the previously pinned commit SHA (3f9e5808b5f3965c96f5698b0d8ff46550b45ba7). SonarCloud flags unpinned third-party workflow references as a security vulnerability (CWE-829 / supply-chain risk), because a mutable branch can be silently overwritten to point at malicious code. The quality gate fails when new security issues are introduced by a PR.

Suggested fix: Revert the uses: line in .github/workflows/dev-lead.yml back to the pinned SHA — uses: petry-projects/.github-private/.github/workflows/dev-lead-reusable.yml@3f9e5808b5f3965c96f5698b0d8ff46550b45ba7 # dev-lead/stable — or pin it to the resolved SHA of dev-lead/ring1 and update the agent_ref value accordingly.

View run logs

[don-petry]

Dev-Lead — review-changes (applied)

Changes committed and pushed.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

[donpetry-bot]

Advisory bots were rate-limited; auto-approval is withheld until they recover. pr-review-sweep will re-review this PR after 2026-06-21T03:29:53Z.

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: a27acccea24f0749329eca5f47f934de082f6d1d
Review mode: triage-approved (single reviewer)

Summary

Staged canary rollout (dev-lead v1.4.0, ring 1): pins TalkTerm's dev-lead caller from the stable channel SHA to the ring1 channel, and adds 6 .gitleaksignore false-positive fingerprints for SHA256 content checksums in a BMAD manifest CSV. 11 additions, 0 deletions across 2 config files. All CI green.

Linked issue analysis

No linked issue (closingIssuesReferences empty). PR is part of a documented staged promotion described in versioning.md Phase 2; the body explains the ring order and rollout/rollback model (central tag move, never a caller edit). Nothing to verify against an issue.

Findings

No blocking findings.

• .github/workflows/dev-lead.yml: uses: pin moves 3f9e5808 (dev-lead/stable) → ded84ce4820dce379f177f9992beb74483f6d6b4 (dev-lead/ring1), and agent_ref is threaded consistently to dev-lead/ring1. The pin remains a full 40-char commit SHA (secure action-pinning preserved), and that SHA is a verified real commit (current HEAD of the first-party petry-projects/.github-private repo). secrets: inherit and permissions: contents: write are unchanged. Note: the PR body says it 'normalizes from a frozen SHA to the moving channel tag form,' but the actual diff keeps a full-SHA pin with a channel comment — which is the safer choice; flagging only as a body/diff wording mismatch, not a defect.
• .gitleaksignore: 6 new fingerprints for commit c5099d1 target the same _bmad/_config/files-manifest.csv rows, same generic-api-key rule, and same line numbers as entries already accepted above; rationale (SHA256 content checksums = false positives) is consistent and narrowly scoped. Not masking new secrets.
• Secret-scan MCP (run_secret_scanning) is not exposed in this environment; relied on the green Secret scan (gitleaks) CI check instead.
• Stale ci-analyst 'CI Failure: SonarCloud' comment refers to an earlier SHA (709604b); current SonarCloud checks report SUCCESS.

CI status

All required checks green. SUCCESS: AgentShield, Secret scan (gitleaks), CodeQL, Analyze (actions/python), SonarCloud (x3 incl. Code Analysis), CodeRabbit, review, pr-auto-review, dev-lead/dispatch, dependency-audit detect. SKIPPED (n/a): dependabot-automerge, dev-lead/ci-relay, language-specific audits. No failing checks.

---

Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

[github-actions]

CI Failure: SonarCloud Code Analysis

Step: SonarCloud Quality Gate
Root cause: Config error

The SonarCloud quality gate failed on this PR. The diff only touches .github/workflows/dev-lead.yml (promoting the reusable workflow ref from dev-lead/stable to dev-lead/ring1) and .gitleaksignore (adding false-positive suppressions for SHA-keyed CSV entries). Neither change introduces application source code, but SonarCloud may be flagging the new .gitleaksignore lines as security hotspots because they contain the string generic-api-key alongside long hex commit SHAs — patterns that SonarCloud's secret-detection heuristics can misinterpret as hardcoded credentials. Alternatively, the quality gate may be failing because SonarCloud is configured to block on any new security hotspot, even a false positive.

Suggested fix: Open the SonarCloud dashboard, locate the new security hotspot(s) introduced by this PR, and mark them as Won't Fix / False Positive with a brief justification (e.g., "gitleaks ignore entry, not a real credential") to clear the quality gate.

View run logs