chore(governance): add CI/CD governance baseline

[chitcommit]

Automated governance baseline remediation from org control loop.

[coderabbitai]

Warning

Rate limit exceeded

@chitcommit has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 28 minutes and 51 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 0a3456b and edd3a86.

📒 Files selected for processing (7)

• .github/allowed-workflow-secrets.txt
• .github/secret-catalog.json
• .github/workflows/adversarial-review.yml
• .github/workflows/governance-gates.yml
• .github/workflows/identity-context-onboarding.yml
• .github/workflows/onepassword-rotation-audit.yml
• .gitleaks.toml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch automation/governance-baseline

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: edd3a867b2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Point Governance Gates at a real reusable workflow

This workflow references ./.github/workflows/reusable-governance-gates.yml, but that file is not present in this repository (I checked with rg --files --hidden under /workspace/shared). As written, every pull_request/push trigger for this workflow will fail to start the gates job because GitHub cannot resolve the local reusable workflow target.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Call an onboarding validator script that exists in repo

The onboarding gate executes bash scripts/check-chitty-onboarding.sh .chittyconnect.yml, but neither scripts/check-chitty-onboarding.sh nor .chittyconnect.yml exists in this repo (verified via rg --files --hidden in /workspace/shared). That makes this job fail on every PR/push instead of acting as a meaningful policy gate.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Invoke an existing rotation-audit script

The audit step runs scripts/onepassword-rotation-audit.sh, but there is no such script in this repository (rg --files --hidden shows no scripts/ tree), so the scheduled/dispatch audit can never actually execute the rotation checks. This turns the workflow into a guaranteed failure path rather than a functioning security control.

Useful? React with 👍 / 👎.