Dogfood proof-pr receipt workflow (#87)

Add a manual proof-pr workflow and committed proof-pr receipt for GithubRepoAuditor dogfood.

Author: saagpatel

.github/workflows/proof-pr.yml

@@ -0,0 +1,17 @@
+name: proof-pr
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  actions: read
+
+jobs:
+  proof:
+    uses: saagpatel/proof-pr/.github/workflows/proof-pr-receipt.yml@v0.1.3
+    with:
+      receipt_path: proof-pr.json
+      proof_pr_ref: v0.1.3
+      artifact_name: github-repo-auditor-proof-pr
+      artifact_glob: proof-pr-artifacts/**

proof-pr.json

@@ -0,0 +1,158 @@
+{
+  "schema_version": "proof-pr.v1",
+  "receipt_id": "saagpatel-github-repo-auditor-proof-pr-dogfood",
+  "generated_at": "2026-06-20T09:00:00Z",
+  "subject": {
+    "repo": "saagpatel/GithubRepoAuditor",
+    "pr_number": null,
+    "pr_url": null,
+    "base_ref": "main",
+    "base_sha": "b69bd828a240572594ed4a8afec159e546fccefa",
+    "head_ref": "chore/proof-pr-dogfood",
+    "head_sha": "pending-pr-head"
+  },
+  "producer": {
+    "tool": "proof-pr",
+    "version": "0.1.3",
+    "agent": "codex",
+    "mode": "local"
+  },
+  "risk": {
+    "tier": "T3",
+    "reasons": [
+      "adds a GitHub Actions workflow",
+      "introduces proof-pr as a reusable CI evidence consumer",
+      "commits a machine-readable proof receipt"
+    ],
+    "changed_surfaces": [
+      "github-actions",
+      "proof-receipt",
+      "public-repo-evidence"
+    ]
+  },
+  "change": {
+    "summary": "Adds an advisory proof-pr dogfood workflow and committed receipt for GitHub Repo Auditor.",
+    "files_touched": [
+      ".github/workflows/proof-pr.yml",
+      "proof-pr.json"
+    ],
+    "diff_stats": {
+      "files": 2,
+      "additions": 175,
+      "deletions": 0
+    },
+    "scope_notes": "No application code, package metadata, generated portfolio truth, or release workflow behavior changes."
+  },
+  "evidence": [
+    {
+      "id": "proof-pr-validate",
+      "kind": "repo-native",
+      "command": [
+        "proof-pr validate proof-pr.json"
+      ],
+      "status": "passed",
+      "required": true,
+      "summary": "Committed receipt validates against proof-pr.v1 schema."
+    },
+    {
+      "id": "proof-pr-render",
+      "kind": "repo-native",
+      "command": [
+        "proof-pr render proof-pr.json"
+      ],
+      "status": "passed",
+      "required": true,
+      "summary": "Receipt renders into the standard Markdown PR block."
+    },
+    {
+      "id": "workflow-yaml",
+      "kind": "repo-native",
+      "command": [
+        "ruby -e \"require 'yaml'; YAML.load_file('.github/workflows/proof-pr.yml')\""
+      ],
+      "status": "passed",
+      "required": true,
+      "summary": "New workflow YAML parses."
+    },
+    {
+      "id": "public-fixture-proof-package",
+      "kind": "repo-native",
+      "command": [
+        "PYTHONDONTWRITEBYTECODE=1 python3 scripts/validate_proof_package.py docs/demo-proof/public-fixture/proof-package.json"
+      ],
+      "status": "passed",
+      "required": true,
+      "summary": "Existing public fixture proof package remains valid."
+    },
+    {
+      "id": "secrets-scan",
+      "kind": "security",
+      "command": [
+        "gitleaks detect --source . --no-banner --redact --verbose"
+      ],
+      "status": "passed",
+      "required": true,
+      "summary": "No leaks found in the dogfood worktree."
+    },
+    {
+      "id": "public-boundary-scan",
+      "kind": "security",
+      "status": "passed",
+      "required": true,
+      "summary": "No private repo names, local paths, personal email, or token prefixes found in the new public dogfood files."
+    },
+    {
+      "id": "full-test-suite",
+      "kind": "test",
+      "status": "skipped",
+      "required": false,
+      "summary": "No Python source, package metadata, or generated truth surface changed.",
+      "reason": "The PR adds only an advisory workflow caller and proof receipt; normal CI still runs on pull_request."
+    },
+    {
+      "id": "screenshots",
+      "kind": "screenshot",
+      "status": "not_applicable",
+      "required": false,
+      "summary": "No UI, workbook, dashboard, or visual artifact changed."
+    }
+  ],
+  "security": {
+    "secrets_scan": {
+      "status": "passed",
+      "summary": "Gitleaks scan found no leaks."
+    },
+    "permission_diff": {
+      "status": "passed",
+      "summary": "New workflow grants explicit read-only permissions: contents: read and actions: read."
+    },
+    "redaction": {
+      "status": "not_applicable",
+      "summary": "No screenshots or generated portfolio artifacts are included in this PR."
+    }
+  },
+  "rollback": {
+    "status": "documented",
+    "path": "Revert this PR or remove .github/workflows/proof-pr.yml and proof-pr.json.",
+    "notes": "The workflow is manual-only and advisory, so rollback does not require data migration or external cleanup."
+  },
+  "artifacts": [
+    {
+      "id": "proof-pr-json",
+      "kind": "json",
+      "path_or_url": "proof-pr.json",
+      "description": "Committed proof-pr dogfood receipt.",
+      "required": true,
+      "external": false
+    }
+  ],
+  "limitations": [
+    "The committed receipt uses pending-pr-head because a receipt committed in the same change cannot know its final commit SHA before the commit exists.",
+    "PR number and PR URL should be reflected in the pull request proof block after PR creation.",
+    "The workflow is manual-only for dogfood; pull_request enforcement is intentionally deferred."
+  ],
+  "overall": {
+    "status": "passed_with_warnings",
+    "review_decision": "ready_with_operator_awareness"
+  }
+}