fix: address review comments and absorb Dependabot version bumps

Review fixes (CodeRabbit + Copilot):
- Fix sync_labels subshell scoping: use process substitution instead
  of piped while loop so changes variable propagates correctly
- Use grep -qxF instead of grep -qx to avoid regex interpretation
- Read default branch from config instead of hardcoding "main"
- Handle explicit false overrides for vulnerability_alerts
- Remove unused issues: write permission from workflow
- Create drift issue before closing old ones to prevent gap
- Add concurrency group to prevent parallel sync runs
- Raise repo list limit from 200 to 1000
- Add label field structure validation to baseline schema check

Dependabot bumps absorbed:
- actions/checkout v4.2.2 -> v6.0.2
- actions/setup-python v5.6.0 -> v6.2.0
- actions/upload-artifact v4.6.2 -> v7.0.0
- github/codeql-action v3.28.18 -> v4.32.6
- peter-evans/create-pull-request v7.0.8 -> v8.1.0

Lint fixes:
- Fix MD032 (blanks around lists) in skill SKILL.md
- Fix MD029 (ordered list prefix) in audit SKILL.md
- Fix MD041 (first line heading) in copilot-instructions and PR template
- Fix MD034 (bare URLs) in CONTRIBUTING.md and SECURITY.md
- Remove unused drift_count variable (shellcheck SC2034)

Author: gamaware

.claude/skills/add-repo-override/SKILL.md

@@ -13,6 +13,7 @@ Add a per-repo exception to `config/overrides.json`.
 `$ARGUMENTS` should be in the format: `<repo-name> <setting-path> <value>`
 
 Examples:
+
 - `my-repo branch_protection.required_status_checks.contexts '["Build","Test"]'`
 - `my-repo repo_settings.has_wiki true`
 

.claude/skills/audit/SKILL.md

@@ -17,7 +17,7 @@ Run a dry-run sync to check for drift without applying changes.
 ./scripts/sync-repo-settings.sh --dry-run
 ```
 
-2. Display the report:
+1. Display the report:
 
 ```bash
 cat reports/sync-report.md

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,3 +1,5 @@
+# Pull Request
+
 ## What changed
 
 <!-- Brief description of the change -->

.github/actions/security-scan/action.yml

@@ -24,7 +24,7 @@ runs:
         output: trivy-results.sarif
 
     - name: Upload Trivy results to GitHub Security
-      uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
       if: always()
       with:
         sarif_file: trivy-results.sarif

.github/actions/update-pre-commit-composite/action.yml

@@ -10,7 +10,7 @@ runs:
   using: composite
   steps:
     - name: Set up Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: "3.x"
 
@@ -23,7 +23,7 @@ runs:
       run: pre-commit autoupdate
 
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
       with:
         token: ${{ inputs.github_token }}
         commit-message: "chore: update pre-commit hook versions"

.github/copilot-instructions.md

@@ -1,4 +1,4 @@
-Review priorities for this repository:
+# Review Priorities
 
 1. Shell script quality: shellcheck and shellharden compliance, proper
    quoting, error handling (set -euo pipefail), no hardcoded tokens

.github/workflows/quality-checks.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Lint markdown
         uses: DavidAnson/markdownlint-cli2-action@db4c2f7b1e4a6de4660458dd8d547f94deaac667 # v22.0.0
@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Lint YAML
         uses: ibiqlik/action-yamllint@2576f72e4b4e5aef56e60fc8a24fa17e25be1fef # v3.1.1
@@ -37,7 +37,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
@@ -47,7 +47,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Check required files
         run: |
@@ -90,6 +90,12 @@ jobs:
               echo "OK: section '$section' present"
             fi
           done
+          # Validate label structure
+          LABEL_ERRORS=$(jq '[.labels[] | select(.name == null or .color == null or .description == null)] | length' config/baseline.json)
+          if [ "$LABEL_ERRORS" -gt 0 ]; then
+            echo "ERROR: $LABEL_ERRORS labels missing required fields (name, color, description)"
+            ERRORS=$((ERRORS + LABEL_ERRORS))
+          fi
           if [ "$ERRORS" -gt 0 ]; then
             echo "ERROR: baseline.json schema validation failed"
             exit 1
@@ -100,7 +106,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install zizmor
         run: |

.github/workflows/security.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 

.github/workflows/sync-settings.yml

@@ -15,17 +15,20 @@ on:
           - "--dry-run"
           - "--apply"
 
+concurrency:
+  group: settings-sync
+  cancel-in-progress: false
+
 permissions:
   contents: read
-  issues: write
 
 jobs:
   sync:
     name: Sync Settings
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Run settings sync
         id: sync
@@ -35,7 +38,7 @@ jobs:
           github_token: ${{ secrets.ORG_SETTINGS_PAT }}
 
       - name: Upload report artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: sync-report-${{ github.run_number }}
           path: reports/sync-report.md
@@ -49,42 +52,50 @@ jobs:
             echo ""
             echo "| Metric | Value |"
             echo "| --- | --- |"
-            echo "| Repositories scanned | ${{ steps.sync.outputs.total_repos }} |"
-            echo "| Compliant | ${{ steps.sync.outputs.compliant }} |"
-            echo "| Drift detected | ${{ steps.sync.outputs.drift }} |"
-            echo "| Mode | ${{ github.event.inputs.mode || '--apply' }} |"
+            echo "| Repositories scanned | $TOTAL_REPOS |"
+            echo "| Compliant | $COMPLIANT |"
+            echo "| Drift detected | $DRIFT |"
+            echo "| Mode | $MODE |"
             echo ""
             echo "### Full Report"
             echo ""
             cat reports/sync-report.md
           } >> "$GITHUB_STEP_SUMMARY"
+        env:
+          TOTAL_REPOS: ${{ steps.sync.outputs.total_repos }}
+          COMPLIANT: ${{ steps.sync.outputs.compliant }}
+          DRIFT: ${{ steps.sync.outputs.drift }}
+          MODE: ${{ github.event.inputs.mode || '--apply' }}
 
-      - name: Create or update drift issue
+      - name: Create drift issue
         if: steps.sync.outputs.has_drift == 'true'
         env:
           GH_TOKEN: ${{ secrets.ORG_SETTINGS_PAT }}
+          DRIFT: ${{ steps.sync.outputs.drift }}
+          TOTAL_REPOS: ${{ steps.sync.outputs.total_repos }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          SYNC_MODE: ${{ github.event.inputs.mode || '--apply' }}
         run: |
           TITLE="chore: settings drift detected — $(date '+%Y-%m-%d')"
-          BODY=$(cat <<'ISSUE_EOF'
-          ## Settings Drift Report
+          BODY="## Settings Drift Report
 
-          **Run**: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-          **Mode**: ${{ github.event.inputs.mode || '--apply' }}
-          **Repos with drift**: ${{ steps.sync.outputs.drift }} / ${{ steps.sync.outputs.total_repos }}
+          **Run**: $RUN_URL
+          **Mode**: $SYNC_MODE
+          **Repos with drift**: $DRIFT / $TOTAL_REPOS
 
-          See the [workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for the full report.
+          See the [workflow run]($RUN_URL) for the full report."
 
-          ISSUE_EOF
-          )
+          # Create new issue first, then close old ones
+          gh issue create --title "$TITLE" --body "$BODY" --label "settings-drift"
 
-          # Close previous drift issues
+          # Close previous drift issues (all except the one just created)
+          LATEST=$(gh issue list --label "settings-drift" --state open --json number --jq '.[0].number')
           gh issue list --label "settings-drift" --state open --json number --jq '.[].number' | while read -r num; do
-            gh issue close "$num" --comment "Superseded by new sync run."
+            if [ "$num" != "$LATEST" ]; then
+              gh issue close "$num" --comment "Superseded by new sync run."
+            fi
           done
 
-          # Create new issue
-          gh issue create --title "$TITLE" --body "$BODY" --label "settings-drift"
-
       - name: Close drift issue if compliant
         if: steps.sync.outputs.has_drift == 'false'
         env:
@@ -99,7 +110,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Check for new repos
         id: newrepos
@@ -116,7 +127,7 @@ jobs:
             || date -u -v-7d '+%Y-%m-%dT%H:%M:%SZ')
           NEW_REPOS=$(gh repo list gamaware --no-archived --json name,createdAt \
             --jq "[.[] | select(.createdAt > \"$WEEK_AGO\")] | .[].name" \
-            --limit 200 || echo "")
+            --limit 1000 || echo "")
 
           if [ -n "$NEW_REPOS" ]; then
             echo "has_new=true" >> "$GITHUB_OUTPUT"
@@ -148,7 +159,7 @@ jobs:
             --label "new-repo"
 
       - name: Upload new repos report
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: new-repos-report-${{ github.run_number }}
           path: reports/new-repos.md

.github/workflows/update-pre-commit-hooks.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false