chore(governance): add CI/CD governance baseline

[chitcommit]

Automated governance baseline remediation from org control loop.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	chittyconnect	522e085	Mar 02 2026, 02:40 AM

[github-actions]

⚠️ Unsigned Commits Detected

This PR contains unsigned commits. ChittyOS requires all commits to be cryptographically signed.

How to fix this:

Option 1: Sign with SSH key (Recommended)

# Configure Git to use SSH signing
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true

# Re-sign your commits
git rebase --exec 'git commit --amend --no-edit -S' HEAD~N
git push --force-with-lease

Option 2: Sign with 1Password

1. Enable "Sign Git commits" in 1Password settings
2. Configure Git: git config --global gpg.program /path/to/op-ssh-sign

Option 3: Sign with GPG

git config --global commit.gpgsign true
git config --global user.signingkey YOUR_KEY_ID

📚 1Password SSH Signing Guide

[coderabbitai]

Warning

Rate limit exceeded

@chitcommit has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 11 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 8fd2047 and 522e085.

📒 Files selected for processing (7)

• .github/allowed-workflow-secrets.txt
• .github/secret-catalog.json
• .github/workflows/adversarial-review.yml
• .github/workflows/governance-gates.yml
• .github/workflows/identity-context-onboarding.yml
• .github/workflows/onepassword-rotation-audit.yml
• .gitleaks.toml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch automation/governance-baseline

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

In general, to fix this problem you must add a permissions block that explicitly scopes the GITHUB_TOKEN to the minimal rights needed. This can be done either at the root of the workflow (applies to all jobs without their own permissions) or at the specific job level. Since this workflow only defines a single job (gates) that delegates to a reusable workflow, adding a minimal job-level permissions block is straightforward and avoids changing any other workflows.

The best minimal, non-breaking fix here is to add permissions: contents: read to the gates job. That grants only read access to repository contents, which is generally sufficient for governance checks and aligns with GitHub’s recommended minimal baseline. If the reusable workflow needs more granular write permissions (e.g., pull-requests: write), those can and should be defined inside reusable-governance-gates.yml rather than in this caller, but we cannot modify that file based on the snippet provided. Concretely, in .github/workflows/governance-gates.yml, under jobs: gates:, insert a permissions: section with contents: read before the existing uses: line. No imports or additional definitions are required for this YAML change.

In general, the fix is to explicitly set a permissions block in the workflow (either at the top level or per job) that grants only the minimum required scopes to GITHUB_TOKEN. For this workflow, the job only needs to read repository contents to run the validation script, so contents: read at the workflow or job level is sufficient.

The best fix with no behavior change is to add a workflow-level permissions section directly under the name: (before on:), specifying contents: read. This will apply to all jobs (currently only identity-onboarding) unless they override it, and ensures the token cannot perform write operations such as pushing commits or modifying issues/PRs. Concretely, in .github/workflows/identity-context-onboarding.yml, between line 1 (name: Identity & Context Onboarding Gate) and line 3 (on:), insert:

permissions:
  contents: read

No additional methods, imports, or definitions are needed, as this is purely a YAML configuration change for GitHub Actions.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 522e08531c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

Adds a CI/CD governance baseline by introducing GitHub Actions workflows for governance gates, identity/context onboarding checks, adversarial review orchestration, and a scheduled 1Password rotation audit, plus supporting governance configuration files.

Changes:

• Add new governance-focused GitHub Actions workflows (gates, onboarding, adversarial review, rotation audit).
• Add a secret rotation catalog (.github/secret-catalog.json) and an allowed workflow secrets list.
• Add a baseline .gitleaks.toml allowlist configuration.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
.gitleaks.toml	Introduces gitleaks config with an allowlist for known test/example paths.
.github/workflows/onepassword-rotation-audit.yml	Adds scheduled/manual rotation audit workflow that uploads reports and opens/issues on failure.
.github/workflows/identity-context-onboarding.yml	Adds PR/push gate intended to validate onboarding context config.
.github/workflows/governance-gates.yml	Adds a wrapper workflow intended to call a reusable governance workflow.
.github/workflows/adversarial-review.yml	Adds PR-target workflow to request reviewers and post bot review trigger comments.
.github/secret-catalog.json	Defines a catalog of secrets with 1Password references and rotation policy metadata.
.github/allowed-workflow-secrets.txt	Defines an allowlist of secret names permitted for workflows.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[claude]

PLACEHOLDER - will replace

[claude]

Claude Code Review -- PR #44: CI/CD Governance Baseline

Overall intent is sound -- adding secret rotation auditing, gitleaks config, and adversarial review automation is a worthwhile governance baseline. However, there are several blocking issues and security concerns that need to be addressed before merging.

---

Blocking Issues

1. governance-gates.yml references a non-existent reusable workflow

reusable-governance-gates.yml does not exist in this repository. This workflow will fail with a workflow-not-found error on every PR and every push to main immediately after merge, blocking all future CI.

The file must be created in this PR, or governance-gates.yml must be removed/deferred until the reusable workflow is ready.

2. identity-context-onboarding.yml references missing artifacts

The step runs bash scripts/check-chitty-onboarding.sh .chittyconnect.yml but:

• scripts/check-chitty-onboarding.sh does not exist (verified against current scripts/ directory)
• .chittyconnect.yml is not present in the repo and is not added by this PR

This workflow will fail on every PR and push to main.

3. onepassword-rotation-audit.yml references a missing script

scripts/onepassword-rotation-audit.sh does not exist. The scheduled workflow will fail daily. The script must be added in this PR.

---

Security Concerns

4. pull_request_target trigger in adversarial-review.yml

pull_request_target runs with the base repository's secrets and write permissions, even for PRs from forks. While this workflow does not check out PR code directly, it runs actions/github-script in a privileged context. If extended to include a checkout step without care, it becomes a supply chain attack vector.

Recommendation: Use pull_request instead unless fork-originated write access is specifically needed. If pull_request_target is required, add an inline comment explaining the justification.

5. secrets: inherit with a non-existent reusable workflow

secrets: inherit in governance-gates.yml passes all repository and org secrets to the callee. When the reusable workflow is eventually written, it should only receive the specific secrets it needs via named mappings, not blanket inheritance -- especially for a governance workflow that runs on every PR.

6. Actions not pinned to SHA digests

None of the new actions are pinned to immutable SHA digests (actions/github-script@v7, 1password/install-cli-action@v1, actions/checkout@v4, actions/upload-artifact@v4). Tags are mutable. For security-sensitive workflows, pin actions to full commit SHAs.

7. Shell injection risk in onepassword-rotation-audit.yml

The jq filter is constructed via shell string concatenation with the title variable embedded directly. This breaks if the title contains single quotes and could be exploited. Use jq's --arg flag for safe variable binding instead.

---

Quality and Operational Concerns

8. Bot auto-triggering on every sync event

adversarial-review.yml posts @coderabbitai review and @copilot review on every open/reopen/synchronize/ready_for_review event. This is already causing rate-limit hits visible in this PR's comment thread. Consider triggering only on opened and ready_for_review.

9. allowed-workflow-secrets.txt has no enforcement

Nothing in this PR validates that only the listed secrets are used in workflows. Without a linting step, this is documentation only. Either add enforcement or rename it to clarify its non-binding nature.

10. Missing concurrency controls

None of the new workflows define concurrency groups. Rapid pushes will stack parallel runs, which is problematic for workflows that gate PRs.

11. Unsigned commits (already flagged by existing CI)

The chitcommit bot's commits are unsigned, which the existing pr-security.yml workflow flags as a policy violation. A governance PR should comply with the signing policy it is meant to enforce.

---

Summary

Severity	Issue	File
Blocking	Missing reusable-governance-gates.yml	governance-gates.yml
Blocking	Missing check-chitty-onboarding.sh + .chittyconnect.yml	identity-context-onboarding.yml
Blocking	Missing onepassword-rotation-audit.sh	onepassword-rotation-audit.yml
Security	pull_request_target without justification	adversarial-review.yml
Security	secrets: inherit to non-existent workflow	governance-gates.yml
Security	Actions not pinned to SHA	All new workflows
Security	Shell injection risk in jq expression	onepassword-rotation-audit.yml
Quality	Bot auto-trigger on every sync event	adversarial-review.yml
Quality	allowed-workflow-secrets.txt not enforced	.github/
Quality	Missing concurrency groups	All new workflows
Quality	Unsigned commits	All commits

The three blocking issues must be resolved before merge. The security concerns should also be addressed -- a governance PR should meet the bar it is trying to set.

[chitcommit]

Superseded — governance baseline merged in #57