chore(governance): add CI/CD governance baseline

[chitcommit]

Automated governance baseline remediation from org control loop.

Summary by CodeRabbit

• Chores
  • Enhanced security and governance infrastructure with automated workflows for pull request validation
  • Established secret management configuration with credential scanning controls
  • Added automated code review orchestration to streamline the review process
  • Implemented secret rotation auditing with automated issue tracking and reporting
  • Configured identity and context onboarding validation gates

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	chittyscore	365e84f	Mar 02 2026, 02:17 AM

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds GitHub Actions workflows, secret management configurations, and security scanning allowlists. It introduces workflows for adversarial code review orchestration, governance gates validation, identity context onboarding checks, and 1Password secret rotation auditing, alongside supporting secret catalog and security scanning configurations.

Changes

Cohort / File(s)	Summary
Secret Management Configuration .github/allowed-workflow-secrets.txt, .github/secret-catalog.json	Added allowlist of seven secrets and defined a ChittyOS vault with four secrets (CHITTYCONNECT_BROKER_TOKEN, CHITTY_GATEWAY_TOKEN, CHITTY_AGENT_TOKEN, ORG_AUTOMATION_TOKEN) with 30-day rotation and platform-security ownership.
GitHub Actions Workflows .github/workflows/adversarial-review.yml, .github/workflows/governance-gates.yml, .github/workflows/identity-context-onboarding.yml, .github/workflows/onepassword-rotation-audit.yml	Added four new workflows: adversarial review orchestrator requesting reviewer agents and posting review directives; governance gates delegating to reusable workflow; identity context onboarding checking chitty configuration; and 1Password rotation auditor with secret validation, CLI installation, and issue creation/update logic.
Security Scanning Configuration .gitleaks.toml	Added gitleaks allowlist configuration defining file path patterns under _ext/chittyid and _ext/chittyops directories to exclude from credential scanning.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• [Governance] CI/CD compliance gaps chittyregistry#10 – Directly implements the missing CI/CD governance files and configurations (workflows, secret catalog, allowed secrets, gitleaks config) referenced in the issue.
• [Governance] CI/CD compliance gaps chittybeacon#5 – Directly adds the exact CI/governance workflow files and secret management configurations reported as missing.
• [Governance] CI/CD compliance gaps chittycommand#9 – Remedies CI/CD compliance gaps by adding the missing workflow and configuration files identified in the issue.
• [Governance] CI/CD compliance gaps chittyagent-local#1 – Directly adds the exact workflows and security/secret configuration files listed as missing in the CI/CD compliance tracking issue.

Poem

🐰 With workflows spun from GitHub's loom,
And secrets catalogued, no more gloom,
Rotation audits dance each night,
While gitleaks guards with scanning light,
ChittyOS governance takes its flight! 🚀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding CI/CD governance baseline through new workflow files, secret configurations, and governance gates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch automation/governance-baseline

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 365e84f1c0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/adversarial-review.yml:
- Around line 32-46: The workflow currently always calls
github.rest.issues.createComment which produces duplicate comments on each
synchronize; change the script in the "Trigger Bot Review Comments" step to
upsert a single bot comment by (1) listing existing comments for
context.payload.pull_request.number via github.rest.issues.listComments, (2)
searching for a comment authored by the bot or containing a unique marker string
from the lines array, and (3) calling github.rest.issues.updateComment to edit
that comment if found or falling back to github.rest.issues.createComment if not
found; keep the existing "lines" content and references to context.repo and
context.payload.pull_request.number when creating/updating the comment.

In @.github/workflows/governance-gates.yml:
- Line 10: The workflow references a missing reusable workflow via the uses:
entry (reusable-governance-gates.yml), so either add the reusable workflow file
named reusable-governance-gates.yml to the repository workflows directory or
update the uses: value in the governance-gates.yml workflow to point to the
existing reusable workflow filename/id that actually exists; ensure the uses:
key in governance-gates.yml matches the exact name/location of the reusable
workflow you add or the correct existing workflow reference.

In @.github/workflows/onepassword-rotation-audit.yml:
- Around line 34-38: The workflow currently masks script failures by converting
the script's non-zero exit into an output flag; instead run the audit so a
failing script fails the job: replace the conditional block that runs "bash
scripts/onepassword-rotation-audit.sh .github/secret-catalog.json
reports/secret-rotation" and writes "status=pass/fail" to GITHUB_OUTPUT with
logic that preserves the script's exit code (either run the script directly and
let its non-zero exit fail the step, or if you must emit the status, run the
script and on failure echo the status and then "exit 1"); reference the script
path scripts/onepassword-rotation-audit.sh and the existing "status=..."
GITHUB_OUTPUT writes when making the change.
- Line 50: The step currently assigns body="$(cat
reports/secret-rotation/latest.md)" and will fail if that file is missing;
change the step so the body assignment first checks for the presence of
reports/secret-rotation/latest.md and uses its contents only if present,
otherwise sets a safe fallback message (e.g., "Secret rotation report not
generated" or include stderr output) so the step does not abort; implement this
by replacing the direct cat usage in the body assignment with a conditional
file-exists check or a shell fallback (read file if -f, else set default) so the
issue-creation step always runs.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a7ca45e and 365e84f.

📒 Files selected for processing (7)

• .github/allowed-workflow-secrets.txt
• .github/secret-catalog.json
• .github/workflows/adversarial-review.yml
• .github/workflows/governance-gates.yml
• .github/workflows/identity-context-onboarding.yml
• .github/workflows/onepassword-rotation-audit.yml
• .gitleaks.toml