ci: wire RBKunnela/sinkra-action as PR validation gate

[RBKunnela]

Summary

Wires RBKunnela/sinkra-action@v0.1.3 (SHA af19709) as a PR validation check on this repo.

• Triggers on pull_request (opened/synchronize/reopened) and push to main
• Runs the 9-agent AIOX council (architecture, code, data, ops, product, quality)
• Posts verdict as a GitHub check-run + PR comment
• Reads ZAI_API_KEY from existing repo secrets (configured 2026-05-22)
• SHA-pinned per supply-chain hygiene (tag v0.1.3 in comment for human readability)

What this does NOT do

This PR does not make the new check a required status check. After this PR is merged AND the workflow has run once on a real PR, the verbatim check context name (captured from gh pr checks) must be added to branch protection > required_status_checks.contexts in a separate operation. That step happens post-merge.

Governance

Chore-style CI wiring change — no source code touched. The SINKRA chain still applies per .claude/rules/automated-pr-merge-authority.md (in AIOX-Enterprise):

• @sm — N/A (CI wiring, no story)
• @po — confirm scope matches mandate (Task Signed Receipt Format for x402 Payments #7)
• @dev — self-check: workflow file lints, schema matches action.yml
• @qa — verify check posts on PR, no secret leakage, permissions minimal
• @devops — merge after upstream agents sign off

Only @devops merges. Do not enable auto-merge.

Verification

Once CI runs on this PR itself, verify:

1. The Sinkra Validation job appears in checks
2. Verbatim check context name captured for branch protection update
3. No errors related to ZAI_API_KEY (already in secrets)

🤖 Generated with Claude Code — Gage (@devops)

Summary by CodeRabbit

• Chores
  • Added automated validation workflow that runs on pull requests and pushes to the main branch, ensuring code quality checks are performed automatically.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Warning

Review limit reached

@RBKunnela, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 1 review/hour. Refill in 25 minutes and 7 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4778c6b0-4651-4427-b6c9-25f6953bf098

📥 Commits

Reviewing files that changed from the base of the PR and between 98e6800 and 8ce4e0d.

📒 Files selected for processing (1)

• .github/workflows/friendlyai-review.yml

Walkthrough

New GitHub Actions workflow triggers SINKRA validation on pull request lifecycle events and pushes to main. The workflow checks out the repository with full history and invokes the SHA-pinned RBKunnela/sinkra-action@v0.1.3 with explicitly scoped permissions (read contents, write to PRs/checks/issues) and required secrets wired from repository configuration.

Changes

CI Validation Workflow

Layer / File(s)	Summary
SINKRA validation workflow setup .github/workflows/sinkra-validation.yml	Workflow runs on pull_request (opened, synchronize, reopened) and push to main with read access to repository contents and write access to PRs, checks, and issues. Checks out head commit with full git history and invokes sinkra-action v0.1.3 with ZAI_API_KEY and GITHUB_TOKEN inputs from repository secrets.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: wire RBKunnela/sinkra-action as PR validation gate' accurately describes the main change: integrating the sinkra-action workflow as a CI validation check.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/wire-sinkra-action

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/sinkra-validation.yml:
- Around line 33-35: Replace the unpinned checkout action and enable
non-persistent credentials: change the "uses: actions/checkout@v4" invocation to
a SHA-pinned ref (use the full commit SHA for actions/checkout) and add "with:
persist-credentials: false" (preserving any existing keys like fetch-depth) so
GITHUB_TOKEN is not written to .git/config; update the workflow step that
contains uses: actions/checkout@v4 and ensure the new SHA ref and
persist-credentials: false are present.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c6348a4d-3f84-492c-82e2-7f208bf79eb1

📥 Commits

Reviewing files that changed from the base of the PR and between c403add and 98e6800.

📒 Files selected for processing (1)

• .github/workflows/sinkra-validation.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

SHA-pin the checkout action and disable credential persistence.

Two supply-chain and credential security gaps:

1. Unpinned action: actions/checkout@v4 uses tag-pinning instead of SHA-pinning. This violates the stated "blanket policy" from static analysis and contradicts your own supply-chain hygiene comment on line 38. An attacker who compromises the v4 tag can inject malicious code.

2. Credential persistence: Missing persist-credentials: false leaves GITHUB_TOKEN in .git/config after checkout. If the sinkra-action or future steps expose git configuration, the token can leak.

🔒 Proposed fix for SHA pinning and credential persistence

      - name: Checkout PR head
-       uses: actions/checkout@v4
+       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
+         persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 0
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 32-35: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sinkra-validation.yml around lines 33 - 35, Replace the
unpinned checkout action and enable non-persistent credentials: change the
"uses: actions/checkout@v4" invocation to a SHA-pinned ref (use the full commit
SHA for actions/checkout) and add "with: persist-credentials: false" (preserving
any existing keys like fetch-depth) so GITHUB_TOKEN is not written to
.git/config; update the workflow step that contains uses: actions/checkout@v4
and ensure the new SHA ref and persist-credentials: false are present.