chore(deps): update stranske/workflows digest to a0bf67e

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
stranske/Workflows (changelog)	action	digest	a525e6e → a0bf67e

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 83f0d047-f7cb-4269-9c4e-a3bef6707a9a

📥 Commits

Reviewing files that changed from the base of the PR and between 4b57abb and e61644f.

📒 Files selected for processing (1)

• .github/workflows/agents-guard.yml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• stranske/Workflows (auto-detected) → reviewed against open PR #2546 renovate/stranske-workflows-digest instead of the default branch
• stranske/Template (auto-detected) → reviewed against open PR #881 renovate/stranske-workflows-digest instead of the default branch

📜 Recent review details

⏰ Context from checks skipped due to timeout. (4)

• GitHub Check: Python CI / python 3.13
• GitHub Check: Python CI / python 3.12
• GitHub Check: Python CI / lint-format
• GitHub Check: Python CI / lint-ruff

⚠️ CI failures not shown inline (2)

GitHub Actions: Claude Code Review (Opt-in) / Resolve review target: chore(deps): update stranske/workflows digest to a0bf67e

Conclusion: failure

View job details

##[group]Run set -euo pipefail
 �[36;1mset -euo pipefail�[0m
 �[36;1m�[0m
 �[36;1m# Use dedicated scripts dir, create if needed�[0m
 �[36;1mINSTALL_DIR=""�[0m
 �[36;1mif [ -z "$INSTALL_DIR" ]; then�[0m
 �[36;1m  INSTALL_DIR="$***GITHUB_WORKSPACE***/.github/scripts"�[0m
 �[36;1mfi�[0m
 �[36;1mmkdir -p "$INSTALL_DIR"�[0m
 �[36;1m�[0m
 �[36;1mecho "📦 Installing `@octokit` dependencies in $INSTALL_DIR..."�[0m
 �[36;1mcd "$INSTALL_DIR"�[0m
 �[36;1m�[0m
 �[36;1mdeclare -a VENDORED_ALIAS_DIRS=()�[0m
 �[36;1m�[0m
 �[36;1mcleanup_vendor_aliases() ***�[0m
 �[36;1m  if [ "$***`#VENDORED_ALIAS_DIRS`[@]***" -eq 0 ]; then�[0m
 �[36;1m    return 0�[0m
 �[36;1m  fi�[0m
 �[36;1m�[0m
 �[36;1m  local cleanup_dir="$INSTALL_DIR"�[0m
 �[36;1m  if [ -z "$cleanup_dir" ]; then�[0m
 �[36;1m    echo "::warning::Install dir is empty, skipping vendored alias cleanup"�[0m
 �[36;1m    return 0�[0m
 �[36;1m  fi�[0m
 �[36;1m�[0m
 �[36;1m  if ! pushd "$cleanup_dir" >/dev/null 2>&1; then�[0m
 �[36;1m    echo "::warning::Failed to enter install dir \"$cleanup_dir\"; skipping vendored alias cleanup"�[0m
 �[36;1m    return 0�[0m
 �[36;1m  fi�[0m
 �[36;1m�[0m
 �[36;1m  for vendored_alias in "$***VENDORED_ALIAS_DIRS[@]***"; do�[0m
 �[36;1m    if [ -z "$vendored_alias" ]; then�[0m
 �[36;1m      continue�[0m
 �[36;1m    fi�[0m
 �[36;1m    rm -rf -- "$vendored_alias" || true�[0m
 �[36;1m    local parent_dir�[0m
 �[36;1m    parent_dir=$(dirname "$vendored_alias")�[0m
 �[36;1m    # Remove empty parent directories that may have been created for scoped packages�[0m
 �[36;1m    while [ "$parent_dir" != "." ] && [ "$parent_dir" != "/" ]; do�[0m
 �[36;1m      rmdir -- "$parent_dir" 2>/dev/null || break�[0m
 �[36;1m      parent_dir=$(dirname "$parent_dir")�[0m
 �[36;1m    done�[0m
 �[36;1m  done�[0m
 �[36;1m�[0m
 �[36;1m  popd >/dev/null 2>&1 || true�[0m
 �[36;1m***�[0m
 �[36;1m�[0m
 �[36;1mtrap cleanup_vendor_aliases EXIT�[0m
 �[36;1m�[0m
 �[36;1mcreate_vendor_aliases() ***�[0m
 �[36;1m  if [ ! -f "package.json" ];...

---

GitHub Actions: Claude Code Review (Opt-in) / 5_Resolve review target.txt: chore(deps): update stranske/workflows digest to a0bf67e

Conclusion: failure

View job details

##[group]Run set -euo pipefail
 �[36;1mset -euo pipefail�[0m
 �[36;1m�[0m
 �[36;1m# Use dedicated scripts dir, create if needed�[0m
 �[36;1mINSTALL_DIR=""�[0m
 �[36;1mif [ -z "$INSTALL_DIR" ]; then�[0m
 �[36;1m  INSTALL_DIR="$***GITHUB_WORKSPACE***/.github/scripts"�[0m
 �[36;1mfi�[0m
 �[36;1mmkdir -p "$INSTALL_DIR"�[0m
 �[36;1m�[0m
 �[36;1mecho "📦 Installing `@octokit` dependencies in $INSTALL_DIR..."�[0m
 �[36;1mcd "$INSTALL_DIR"�[0m
 �[36;1m�[0m
 �[36;1mdeclare -a VENDORED_ALIAS_DIRS=()�[0m
 �[36;1m�[0m
 �[36;1mcleanup_vendor_aliases() ***�[0m
 �[36;1m  if [ "$***`#VENDORED_ALIAS_DIRS`[@]***" -eq 0 ]; then�[0m
 �[36;1m    return 0�[0m
 �[36;1m  fi�[0m
 �[36;1m�[0m
 �[36;1m  local cleanup_dir="$INSTALL_DIR"�[0m
 �[36;1m  if [ -z "$cleanup_dir" ]; then�[0m
 �[36;1m    echo "::warning::Install dir is empty, skipping vendored alias cleanup"�[0m
 �[36;1m    return 0�[0m
 �[36;1m  fi�[0m
 �[36;1m�[0m
 �[36;1m  if ! pushd "$cleanup_dir" >/dev/null 2>&1; then�[0m
 �[36;1m    echo "::warning::Failed to enter install dir \"$cleanup_dir\"; skipping vendored alias cleanup"�[0m
 �[36;1m    return 0�[0m
 �[36;1m  fi�[0m
 �[36;1m�[0m
 �[36;1m  for vendored_alias in "$***VENDORED_ALIAS_DIRS[@]***"; do�[0m
 �[36;1m    if [ -z "$vendored_alias" ]; then�[0m
 �[36;1m      continue�[0m
 �[36;1m    fi�[0m
 �[36;1m    rm -rf -- "$vendored_alias" || true�[0m
 �[36;1m    local parent_dir�[0m
 �[36;1m    parent_dir=$(dirname "$vendored_alias")�[0m
 �[36;1m    # Remove empty parent directories that may have been created for scoped packages�[0m
 �[36;1m    while [ "$parent_dir" != "." ] && [ "$parent_dir" != "/" ]; do�[0m
 �[36;1m      rmdir -- "$parent_dir" 2>/dev/null || break�[0m
 �[36;1m      parent_dir=$(dirname "$parent_dir")�[0m
 �[36;1m    done�[0m
 �[36;1m  done�[0m
 �[36;1m�[0m
 �[36;1m  popd >/dev/null 2>&1 || true�[0m
 �[36;1m***�[0m
 �[36;1m�[0m
 �[36;1mtrap cleanup_vendor_aliases EXIT�[0m
 �[36;1m�[0m
 �[36;1mcreate_vendor_aliases() ***�[0m
 �[36;1m  if [ ! -f "package.json" ];...

🧰 Additional context used

📓 Path-based instructions (6)

{pyproject.toml,.github/workflows/*.{yml,yaml}}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

{pyproject.toml,.github/workflows/*.{yml,yaml}}: Ensure coverage thresholds in pyproject.toml ([tool.coverage.report] fail_under) match the coverage-min settings in CI workflow files to avoid threshold conflicts
The Manager-Database repository has a coverage threshold of 75%

Files:

• .github/workflows/agents-guard.yml

.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

When a GitHub Actions workflow fails with startup_failure, check for invalid YAML syntax, top-level permissions: blocks on workflow_call reusable workflows (which conflicts with caller permissions), invalid permission scopes, or circular workflow references

Files:

• .github/workflows/agents-guard.yml

.github/workflows/**/*.yml

📄 CodeRabbit inference engine (CLAUDE.md)

Reference reusable workflows with @main to match first-party consumer defaults, unless intentionally pinning to an exact commit SHA for a controlled reason.

Files:

• .github/workflows/agents-guard.yml

.github/workflows/agents-*.yml

📄 CodeRabbit inference engine (CLAUDE.md)

Synced workflows (agents-*.yml, autofix.yml) should be fixed in stranske/Workflows, not locally in the consumer repo.

Files:

• .github/workflows/agents-guard.yml

.github/workflows/*.yml

📄 CodeRabbit inference engine (AGENTS.md)

First-party consumers should reference reusable workflows with @main unless intentionally pinning to an exact commit SHA for a controlled reason.

Files:

• .github/workflows/agents-guard.yml

{.github/workflows/agents-*.yml,.github/workflows/autofix.yml,.github/codex/**/*.{md,txt,prompt},**/*.sync.*}

📄 CodeRabbit inference engine (AGENTS.md)

Synced workflow files, agent prompts, scripts, and consumer docs should be fixed in stranske/Workflows through the sync manifest, not edited locally.

Files:

• .github/workflows/agents-guard.yml

🔀 Multi-repo context stranske/Workflows

Linked repositories findings

stranske/Workflows (PR branch refs/pull/2546/head)

• .github/workflows/agents-guard.yml:103 and :173 already reference stranske/Workflows/.github/actions/setup-api-client@a0bf67ebf03ca6767607b6da335fd21a88ebf787.
• The same workflow also has local fallback paths using ./.github/actions/setup-api-client at :93 and :163, so the pinned external fallback is only used when the local action is unavailable.

[::stranske/Workflows::]

🔇 Additional comments (1)

.github/workflows/agents-guard.yml (1)

114-114: Already flagged: update this synced workflow upstream.

These SHA bumps are mechanically fine, but .github/workflows/agents-guard.yml is synced from stranske/Workflows, so this change should be applied there and propagated downstream instead of being edited locally.

Also applies to: 183-183

Sources: Coding guidelines, Linked repositories

---

📝 Walkthrough

Walkthrough

The agents-guard.yml workflow updates the pinned commit SHA for the fallback stranske/Workflows/.github/actions/setup-api-client action in two places: the pull_request_target flow and the pull_request flow.

Changes

Agents Guard Workflow SHA Pin Update

Layer / File(s)	Summary
Update fallback action SHA in both workflow paths .github/workflows/agents-guard.yml	Replaces the prior pinned commit SHA for the fallback setup-api-client action with a new SHA in both workflow trigger paths.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

• stranske

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the dependency digest update to stranske/Workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/stranske-workflows-digest

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/agents-guard.yml:
- Line 114: The file `.github/workflows/agents-guard.yml` is a synced workflow
that should be maintained upstream in the `stranske/Workflows` repository, not
modified locally. Revert the pin update changes (updating the action reference
to use the new SHA de0849c19ac81e04dc4b1ce6f95c6ec53a4db945) from this pull
request in the agents-guard.yml file. Instead, apply the identical pin update
directly in the upstream `stranske/Workflows` repository at the corresponding
location, and allow the synchronization mechanism to propagate the change
downstream to this consumer repository automatically.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 6b3f8c1f-e834-4165-ac53-9b58a56b3847

📥 Commits

Reviewing files that changed from the base of the PR and between 6f895ba and 90875a8.

📒 Files selected for processing (1)

• .github/workflows/agents-guard.yml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• stranske/Workflows (auto-detected)
• stranske/Template (auto-detected)

📜 Review details

🧰 Additional context used

📓 Path-based instructions (6)

{pyproject.toml,.github/workflows/*.{yml,yaml}}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

{pyproject.toml,.github/workflows/*.{yml,yaml}}: Ensure coverage thresholds in pyproject.toml ([tool.coverage.report] fail_under) match the coverage-min settings in CI workflow files to avoid threshold conflicts
The Manager-Database repository has a coverage threshold of 75%

Files:

• .github/workflows/agents-guard.yml

.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

When a GitHub Actions workflow fails with startup_failure, check for invalid YAML syntax, top-level permissions: blocks on workflow_call reusable workflows (which conflicts with caller permissions), invalid permission scopes, or circular workflow references

Files:

• .github/workflows/agents-guard.yml

.github/workflows/**/*.yml

📄 CodeRabbit inference engine (CLAUDE.md)

Reference reusable workflows with @main to match first-party consumer defaults, unless intentionally pinning to an exact commit SHA for a controlled reason.

Files:

• .github/workflows/agents-guard.yml

.github/workflows/agents-*.yml

📄 CodeRabbit inference engine (CLAUDE.md)

Synced workflows (agents-*.yml, autofix.yml) should be fixed in stranske/Workflows, not locally in the consumer repo.

Files:

• .github/workflows/agents-guard.yml

.github/workflows/*.yml

📄 CodeRabbit inference engine (AGENTS.md)

First-party consumers should reference reusable workflows with @main unless intentionally pinning to an exact commit SHA for a controlled reason.

Files:

• .github/workflows/agents-guard.yml

{.github/workflows/agents-*.yml,.github/workflows/autofix.yml,.github/codex/**/*.{md,txt,prompt},**/*.sync.*}

📄 CodeRabbit inference engine (AGENTS.md)

Synced workflow files, agent prompts, scripts, and consumer docs should be fixed in stranske/Workflows through the sync manifest, not edited locally.

Files:

• .github/workflows/agents-guard.yml

🔀 Multi-repo context stranske/Template, stranske/Workflows

Perfect! I now have comprehensive cross-repository context. Let me compile my findings:

Linked repositories findings

stranske/Template

Critical: Hardcoded pinned version references found in agents-guard.yml

The stranske/Template repository has hardcoded the OLD pinned commit SHA (a335f1af2c35b8f35d2278f56e9af78792a09bf1) of the setup-api-client action from stranske/Workflows in two locations:

• Line 114 of .github/workflows/agents-guard.yml — used as fallback for pull_request_target event

  uses: "stranske/Workflows/.github/actions/setup-api-client@a335f1af2c35b8f35d2278f56e9af78792a09bf1"

• Line 183 of .github/workflows/agents-guard.yml — used as fallback for pull_request event

  uses: "stranske/Workflows/.github/actions/setup-api-client@a335f1af2c35b8f35d2278f56e9af78792a09bf1"

[::stranske/Template::]

Impact on Template workflows:

Template's agents-guard.yml uses the fallback action in two critical security-sensitive contexts:

1. pull_request_target: For safety validation on the base ref before privileged context is used
2. pull_request: For the actual pull request event on the head ref

When the local .github/actions/setup-api-client action is unavailable (checked by steps.api_client_base.outputs.available and steps.api_client_head.outputs.available), the workflow falls back to the pinned stranske/Workflows version.

[::stranske/Template::]

Other affected workflows in Template:

20 workflows across Template reference stranske/Workflows in various ways:

• .github/workflows/agents-guard.yml (2 pinned references)
• .github/workflows/agents-*.yml (multiple workflows using reusable workflows and repository dispatch)
• .github/workflows/maint-*.yml and other CI workflows

[::stranske/Template::]

Action purpose and scope:

The setup-api-client action is critical infrastructure that:

• Installs pinned @octokit dependencies (rest, auth-app, plugin-retry, plugin-paginate-rest, lru-cache)
• Exports authentication tokens to environment variables (GITHUB_TOKEN, PATs, GitHub App credentials)
• Provides a machine-readable setup contract JSON for downstream steps
• Manages vendored dependency aliases and Node PATH configuration

[::stranske/Workflows::]

Recommendation for reviewers:

After this PR updates the pinned SHA in the Workflows repository, the stranske/Template repository will need to be updated separately to use the new commit SHA (de0849c) in its fallback references at lines 114 and 183 of .github/workflows/agents-guard.yml to ensure consistency and receive any fixes or improvements included in the new version.

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# 1) Confirm the new commit exists in stranske/Workflows
gh api repos/stranske/Workflows/commits/de0849c19ac81e04dc4b1ce6f95c6ec53a4db945 \
  --jq '{sha: .sha, date: .commit.committer.date}' || echo "Commit not found"

# 2) Ensure no leftover references to the OLD SHA anywhere in the repo
rg -n 'a335f1af2c35b8f35d2278f56e9af78792a09bf1' .github || echo "No stale old-SHA references remain"

# 3) Confirm both fallback pins now use the new SHA
rg -nP 'stranske/Workflows/\.github/actions/setup-api-client@[0-9a-f]{40}' .github/workflows/agents-guard.yml

Repository: stranske/Collab-Admin

Length of output: 511

---

🏁 Script executed:

#!/bin/bash
# Check if agents-guard.yml exists in stranske/Workflows
fd -n 'agents-guard\.yml' .github/workflows/

# Look for sync manifest files (commonly sync.yml, .sync-manifest.yml, etc.)
fd -n 'sync' . --type f -e yml -e yaml -e json | grep -E '(sync|manifest)' || echo "Searching for sync configuration..."

# Search for any references to sync behavior
rg -i 'sync' .github --type yml | head -20 || echo "No sync config found"

Repository: stranske/Workflows

Length of output: 682

---

🏁 Script executed:

#!/bin/bash
# Check if there's a sync manifest in Collab-Admin
fd -n 'sync' . --type f -e yml -e yaml -e json | grep -iE '(sync|manifest)'

# Look for any documentation about sync
find . -name "README*" -o -name "SYNC*" -o -name ".sync*" | xargs cat 2>/dev/null || echo "No sync docs found"

Repository: stranske/Collab-Admin

Length of output: 50379

---

🏁 Script executed:

#!/bin/bash
# Check if agents-guard.yml exists in stranske/Workflows
find .github/workflows -name 'agents-guard.yml' 2>/dev/null || echo "File not found in Workflows"

# Look for sync configuration files
find . -type f \( -name '*sync*' -o -name '.sync*' \) 2>/dev/null | head -20

Repository: stranske/Workflows

Length of output: 1226

---

🏁 Script executed:

#!/bin/bash
# Look for sync-related files only
find . -type f \( -name '*sync*' -o -name '.sync*' \) 2>/dev/null

# Look at the README to understand the structure
head -50 README.md 2>/dev/null || echo "No README found"

# Check if there's a manifest or config explaining synced files
find . -name '*.json' -o -name '*.yml' -o -name '*.yaml' | xargs grep -l 'sync' 2>/dev/null | head -10

Repository: stranske/Collab-Admin

Length of output: 3352

---

🏁 Script executed:

#!/bin/bash
# Check the sync manifest to see if agents-guard.yml is listed as a synced file
cat ./.github/sync-manifest.yml | head -100

Repository: stranske/Workflows

Length of output: 5350

---

🏁 Script executed:

#!/bin/bash
# Check if Collab-Admin references the sync manifest or has any sync configuration
find . -name 'sync-manifest.yml' 2>/dev/null
ls -la .github/ | grep -i sync || echo "No local sync config"

# Check git config or any CI references to sync
git config --local --list 2>/dev/null | grep -i sync || echo "No sync config"

Repository: stranske/Collab-Admin

Length of output: 195

---

🏁 Script executed:

#!/bin/bash
# Search for agents-guard in the sync manifest
grep -n "agents-guard" ./.github/sync-manifest.yml

Repository: stranske/Workflows

Length of output: 303

---

🏁 Script executed:

#!/bin/bash
# Get the full context for agents-guard.yml in the sync manifest
sed -n '106,115p' ./.github/sync-manifest.yml

Repository: stranske/Workflows

Length of output: 650

---

Synced workflow should be updated in stranske/Workflows, not locally.

Both fallback pins are updated consistently to the same SHA (de0849c…) with full 40-char digests, which is mechanically correct. However, agents-guard.yml is listed in the upstream stranske/Workflows sync manifest as a file intended for synchronization to consumer repos. Per coding guidelines, such synced files should be maintained in the source repository and synced downstream, rather than edited locally in consumers. Apply this change upstream in Workflows and allow it to propagate via the sync mechanism.

Note: stranske/Template still pins the old SHA at lines 114/183 of its agents-guard.yml and will need the same update separately.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/agents-guard.yml at line 114, The file
`.github/workflows/agents-guard.yml` is a synced workflow that should be
maintained upstream in the `stranske/Workflows` repository, not modified
locally. Revert the pin update changes (updating the action reference to use the
new SHA de0849c19ac81e04dc4b1ce6f95c6ec53a4db945) from this pull request in the
agents-guard.yml file. Instead, apply the identical pin update directly in the
upstream `stranske/Workflows` repository at the corresponding location, and
allow the synchronization mechanism to propagate the change downstream to this
consumer repository automatically.

Source: Coding guidelines