ci: add compliance check workflow for org ruleset

[chitcommit]

Summary

• Adds compliance-check.yml calling the reusable compliance workflow
• Workflow name set to compliance to match org-level required status check context
• Unblocks PR merges that were blocked by missing compliance check

Test plan

• Verify compliance check appears in PR status checks
• Confirm PR is no longer blocked by org ruleset

🤖 Generated with Claude Code

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[github-actions]

1. @coderabbitai review
2. @copilot review
3. @codex review
4. @claude review
   Adversarial review request: evaluate security, policy bypass paths, regression risk, and merge-gating bypass attempts.

[coderabbitai]

Warning

Rate limit exceeded

@chitcommit has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 27 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 52e93f84-7fc7-4b5c-acaf-310caf74ec41

📥 Commits

Reviewing files that changed from the base of the PR and between cda56a1 and b38f44d.

📒 Files selected for processing (1)

• .github/workflows/compliance-check.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/add-compliance-check

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

In general, to fix this category of issue you add a permissions: block either at the top (root) of the workflow to apply to all jobs, or under a specific job to apply only there. The block should grant the minimum scopes needed. For workflows that only run checks and do not need to write back to the repository, contents: read is a good baseline. If the reusable workflow needs additional permissions (for example, to update issues or pull requests), those can be added explicitly.

For this specific workflow, the simplest and safest change without altering behavior of the reusable workflow is to declare minimal read-only permissions at the workflow root, just under the name: key and before on:. This ensures the GITHUB_TOKEN available to the compliance job (and thus to the called reusable workflow) is constrained to read repository contents by default. If the reusable workflow requires more permissions, they can still be granted there; our change does not prevent that, but documents and constrains the default from this workflow’s side. Concretely, in .github/workflows/compliance-check.yml, add:

permissions:
  contents: read

between lines 1 and 3. No imports or additional methods are needed, since this is a YAML configuration change only.