chore(coderabbit): defer SHA-pinning + bracket-style nits on workflow…

[emeraldleaf]

… PRs

CodeRabbit re-flags the same two architectural deferrals on every workflow PR — SHA-pinning individual new actions and bracket-spacing-style nits inside branches: [ main ]. Both are explicitly project decisions documented in docs/dev-loop.md Gap 4 and the existing repo convention, respectively. Each re-flag wastes a review round and produces stale "Requested changes" reviews that block merge until manually dismissed.

Add a path_instructions block for .github/workflows/*.yml so CodeRabbit knows the deferrals and doesn't re-suggest them on new workflows. Also positively re-direct it toward the workflow review signals that DO matter (persist-credentials, set -euo pipefail, permissions blocks, concurrency, secret hygiene) so the new instructions reduce noise without dampening useful findings.

This is the .coderabbit.yaml escape hatch — encoding project conventions where CodeRabbit can read them, rather than re-defending them per PR.

What changed

How it was built

Verification

Touches (check only if applies)

• EF Core migration (immutable once applied — see CLAUDE.md "Performance Rules")
• CLAUDE.md or a See CLAUDE.md paraphrase (run /check-rules to audit drift)

Summary by CodeRabbit

• Chores
  • Updated development configuration settings for code review automation to include enhanced standards for workflow consistency and security practices.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 0676956a-24e8-4d52-830b-8ccc17a52680

📥 Commits

Reviewing files that changed from the base of the PR and between 2aa0972 and 6d8a74d.

📒 Files selected for processing (1)

• .coderabbit.yaml

---

Walkthrough

Configuration update adds GitHub Actions review rules to .coderabbit.yaml, specifying version-pinning standards, security hygiene checks (permissions, credentials, strict bash mode), concurrency group requirements, and secret/token flagging conventions.

Changes

GitHub Actions Review Rules

Layer / File(s)	Summary
GitHub Actions workflow review rules .coderabbit.yaml	New reviews.path_instructions block for GitHub Actions workflows defines version-pinning conventions, bracket spacing standards, and security checks flagging missing persist-credentials, bash strict mode, permissions, concurrency groups, plaintext secrets, and hardcoded tokens.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding CodeRabbit configuration rules for GitHub workflows to defer SHA-pinning suggestions and bracket-style formatting nits.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/coderabbit-defer-rules

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!