ci: add compliance gate job for org ruleset

[chitcommit]

Summary

• Adds standalone compliance gate job so check context matches org-level required status check
• Fixes the compliance / compliance vs compliance context mismatch that blocks PR merges

Test plan

• compliance check appears as a standalone status check
• PRs are no longer blocked by org ruleset

🤖 Generated with Claude Code

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

Warning

Rate limit exceeded

@chitcommit has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 47 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6d65f088-cd2d-49b4-adf4-cf6e15886061

📥 Commits

Reviewing files that changed from the base of the PR and between 32eb7d3 and ef1487a.

📒 Files selected for processing (1)

• .github/workflows/compliance-check.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/compliance-gate-fix

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

1. @coderabbitai review
2. @copilot review
3. @codex review
4. @claude review
   Adversarial review request: evaluate security, policy bypass paths, regression risk, and merge-gating bypass attempts.

To fix the problem, explicitly declare a permissions: block that applies least-privilege settings to the workflow. Since neither job in this snippet needs to write to the repository and the compliance job appears to not use the token at all, we can set permissions: contents: read at the workflow root as a minimal, safe default. This documents the intended permissions and prevents escalation if repo/org defaults are broader. If the reusable workflow reusable-compliance-check.yml needs more granular permissions, they should be declared there; here we only constrain this workflow.

The best single change with no functional impact is to add a root-level permissions: block after the name: (or after on:) in .github/workflows/compliance-check.yml, setting contents: read. This applies to all jobs that do not override permissions, including both check and compliance. No imports or additional methods are needed; this is purely a YAML configuration change inside the workflow file.

Concretely, in .github/workflows/compliance-check.yml, insert:

permissions:
  contents: read

after line 2 (or any valid root position before jobs:). No other changes are required.