Harden public repo hygiene

[simongonzalezdc]

Summary

• pin the Agent Law checkout action to an immutable SHA and disable persisted checkout credentials
• add Dependabot coverage for root npm, EF-COACH npm, and GitHub Actions
• ignore local environment and private key material by default

Verification

• python3 /tmp/checkyourself-public-audit-20260529-final/_checkyourself_cli/tools/checkyourself.py scan /tmp/dev-learning-archaeologist-remediation --deep --json /tmp/dev-learning-archaeologist-remediation-final.json --out /tmp/dev-learning-archaeologist-remediation-final.md --format text --quiet
• YAML parse for workflows and Dependabot config
• git diff --check
• gitleaks dir . --no-banner --redact --exit-code 1
• npm test
• npm --prefix EF-COACH test

CheckYourself result: P0/P1/P2/P3 = 0/0/0/0, suppressions = 0.

---

^{Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.}

Summary by CodeRabbit

• Security

  • Prevented accidental commits of environment files and private keys by updating the ignore list.
  • Improved workflow security by pinning action versions and disabling credential persistence after checkout.

• Chores

  • Enabled weekly Dependabot updates for npm packages and workflows, limiting concurrent open PRs and applying dependency/security labels.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 758ad47d-51e0-448c-acef-4904ae31737a

📥 Commits

Reviewing files that changed from the base of the PR and between 295102f and b3b68c4.

📒 Files selected for processing (3)

• .github/dependabot.yml
• .github/workflows/agent-law.yml
• .gitignore

✅ Files skipped from review due to trivial changes (1)

• .gitignore

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/agent-law.yml
• .github/dependabot.yml

---

📝 Walkthrough

Walkthrough

Adds a Dependabot v2 configuration with weekly updates for npm and GitHub Actions, pins actions/checkout to a specific commit and disables credential persistence in the Agent Law workflow, and updates .gitignore to ignore environment and private key files.

Changes

Repository Infrastructure & Security Hardening

Layer / File(s)	Summary
Dependabot Configuration .github/dependabot.yml	Adds Dependabot v2 config with weekly schedules for npm at / and /EF-COACH, and github-actions at /; npm rules limit open PRs to 10 and add dependencies and security labels.
Workflow Action Pinning .github/workflows/agent-law.yml	Pins actions/checkout to a specific commit SHA and sets persist-credentials: false in the Checkout step.
Sensitive File Exclusion .gitignore	Adds ignore patterns for .env, .env.local, .env.*.local, and key files (*.pem, *.key) at the top of the file.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• KyaniteLabs/dev-learning-archaeologist#62: Also pins actions/checkout to a specific commit SHA and adjusts workflow credential persistence.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description includes a clear summary of changes and comprehensive verification steps, but omits the required 'Empower Orchestrator' checklist section from the repository template.	Add the 'Empower Orchestrator checklist' section from the repository template with appropriate checkboxes and explanations for whether this PR represents a repeatable task or system improvement.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Harden public repo hygiene' is clear and concise, directly describing the main objective of the PR across all three file changes (pinning checkout action, adding Dependabot, and improving .gitignore).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/checkyourself-public-hardening

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 295102f06d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Pin checkout to the intended v4 release

This SHA is not an actions/checkout@v4 revision; it corresponds to the checkout v6 development/release line, while the workflow still documents it as # v4. In this workflow the runner can be overridden via vars.RUNNER_LABEL, so any self-hosted runner that was compatible with v4 but not with checkout v5/v6's newer runner/runtime requirements can start failing at the checkout step even though this change appears to be only an immutable v4 pin. Please pin a commit reachable from the intended v4 tag, or intentionally update the workflow/comment and runner assumptions to v6.

Useful? React with 👍 / 👎.