feat: add CI/CD workflows and Claude Code commands

[boorad]

Summary

• Add per-environment GitHub Actions deploy workflows using EnforceAuth/deploy-action@v1 with path-based triggers (dev/**, stage/**, prod/**)
• Add local Regal lint composite action (.github/actions/rego-lint) wired into all workflows
• Add Claude Code slash commands adapted from ea (/commit, /pr, /review, /address-pr-feedback, /handoff)

Environments affected

All — this adds CI/CD for dev, stage, and prod.

Changes

• deploy-dev.yml / deploy-stage.yml: lint + test (parallel) → deploy via EnforceAuth
• deploy-prod.yml: lint + test (parallel) → dry-run validation → deploy with concurrency lock and environment protection
• pr-check.yml: Regal lint + conditional OPA tests per changed environment (using dorny/paths-filter)
• rego-lint composite action: installs Regal, diffs changed .rego files, lints only affected directories
• Claude Code commands: commit, pr, review, address-pr-feedback, handoff — adapted for OPA policy repo

Test plan

• Verify dev deploy triggers only on dev/** changes
• Verify prod deploy requires dry-run + environment approval
• Verify PR check runs lint and only tests changed environments
• Verify Regal lint skips when no .rego files changed

Summary by CodeRabbit

• New Features

  • CI checks and Rego linting added, plus deploy pipelines for dev/stage/prod (includes dry-run and gated production deploy).
  • Automated workflows to create PRs, commit changes, run reviews, and address review feedback.

• Documentation

  • Step-by-step command guides and a structured session handoff to standardize commit, PR, review, and feedback workflows.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ac58558c-d056-477e-869e-14af22fb30f5

📥 Commits

Reviewing files that changed from the base of the PR and between 26683ef and 385ebee.

📒 Files selected for processing (3)

• .claude/commands/address-pr-feedback.md
• .github/actions/rego-lint/action.yml
• .github/workflows/deploy-prod.yml

✅ Files skipped from review due to trivial changes (2)

• .claude/commands/address-pr-feedback.md
• .github/actions/rego-lint/action.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/deploy-prod.yml

---

📝 Walkthrough

Walkthrough

Adds five CLI/agent command docs for PR/commit/handoff/review/feedback workflows, a composite Regal-based Rego lint action, a PR lint check workflow, and three environment-targeted deploy workflows (dev, stage, prod) that lint and deploy policy bundles with a prod dry-run and concurrency guard.

Changes

Cohort / File(s)	Summary
Claude Command Documentation ./.claude/commands/address-pr-feedback.md, ./.claude/commands/commit.md, ./.claude/commands/handoff.md, ./.claude/commands/pr.md, ./.claude/commands/review.md	Added five Markdown command documents describing end-to-end CLI/agent workflows for addressing PR feedback, committing changes, session handoffs, creating PRs, and reviewing OPA/Rego policy changes.
Composite Rego Lint Action ./.github/actions/rego-lint/action.yml	New composite GitHub Action that installs Regal, computes changed *.rego files with PR-aware diffing, outputs has_files and dirs, and conditionally runs regal lint with configurable regal-version (default v0.39.0).
PR Check Workflow ./.github/workflows/pr-check.yml	New “PR Check” workflow triggered on pull requests to main that runs the local ./.github/actions/rego-lint composite action.
Deploy Workflows (dev/stage/prod) ./.github/workflows/deploy-dev.yml, ./.github/workflows/deploy-stage.yml, ./.github/workflows/deploy-prod.yml	Added environment-specific deploy pipelines that run a lint job using the local Rego-lint action, then deploy jobs invoking EnforceAuth/deploy-action@v1. prod includes a dry-run job, step-summary output, concurrency gating, and a conditional gated deploy.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Maintainer
  participant GitHub as "GitHub Actions"
  participant Regal as "Local action: ./.github/actions/rego-lint"
  participant OPA as "Open Policy Agent (opa test)"
  participant Enforce as "EnforceAuth/deploy-action"

  Maintainer->>GitHub: trigger workflow (push / workflow_dispatch / PR)
  GitHub->>Regal: run Rego lint on computed dirs
  Regal-->>GitHub: lint result (success/failure)
  alt lint succeeds
    GitHub->>OPA: optionally run opa test <env>/ -v
    OPA-->>GitHub: test result
    GitHub->>Enforce: run deploy-action (dry-run for prod)
    Enforce-->>GitHub: dry-run status & bundle-version
    alt dry-run success
      GitHub->>Enforce: run deploy-action (wait-for-completion)
      Enforce-->>GitHub: deploy result
    else dry-run failed
      GitHub-->>Maintainer: report dry-run failure
    end
  else lint failed
    GitHub-->>Maintainer: report lint failure
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I hopped through workflows, lint, and test,
I nudged each PR and did my best.
From branch to prod the bundles go,
I paused for dry-run, safe and slow.
A rabbit’s wink — automation blessed 🌿

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main changes: adding CI/CD workflows and Claude Code commands for the OPA policy repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/ci-cd-examples

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amazon-q-developer]

Review Summary

This PR adds comprehensive CI/CD workflows for dev, stage, and production environments with appropriate safety controls. However, there are 4 critical issues that must be fixed before merge:

Critical Issues (Must Fix)

1. Production deployment logic error - The conditional check on line 77 of deploy-prod.yml uses .result instead of properly validating dry-run outputs, which could allow failed validations to proceed to production deployment
2. Command injection vulnerabilities in rego-lint/action.yml - Two instances of unquoted variable expansion (lines 25 and 33) create security risks when processing filenames
3. Missing error handling in production dry-run summary that could cause undefined behavior when accessing failed step outputs

Required Actions

All 4 comments include commit-ready code suggestions. Please apply the suggested fixes to:

• Strengthen production deployment gate validation
• Eliminate command injection vulnerabilities
• Add proper error handling for failed dry-runs

The workflow structure and environment-based deployment strategy are sound once these defects are addressed.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[coderabbitai]

Actionable comments posted: 8

🧹 Nitpick comments (4)

.claude/commands/commit.md (1)

30-37: Clarify subject/body commit command

If a body is required (Line [30]-[31]), documenting a two--m form is clearer and more reproducible than a single placeholder message.

Proposed tweak

-   git commit -m "<message>"
+   # Subject only:
+   git commit -m "<subject>"
+   # Subject + body (for substantial changes):
+   git commit -m "<subject>" -m "<what changed and why>"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/commands/commit.md around lines 30 - 37, Update the commit guidance
to show using two -m flags for subject and body when a body is required: change
the example currently showing a single git commit -m "<message>" into a form
that demonstrates git commit -m "subject" -m "body" (so readers know how to
supply a one-line subject and a separate body) and update the surrounding text
at "If the change is substantial, add a body paragraph..." to reference this two
-m approach; keep the subject length guidance as-is.

.claude/commands/pr.md (1)

9-19: Fetch origin/main before diff/log range checks

Using local main without a fetch can produce stale commit/env detection for PR generation.

Proposed tweak

 1. **Verify branch state**:
+   - Run `git fetch origin main` to refresh upstream state
    - Run `git branch --show-current` to get the current branch name
    - Ensure we're not on `main` (abort if so)
    - Run `git log main..HEAD --oneline` to see commits to include

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/commands/pr.md around lines 9 - 19, Fetch the remote main branch
before comparing ranges: replace local-only checks that use "git log main..HEAD
--oneline" and "git diff main..HEAD --stat" with a step that runs a fetch (e.g.,
"git fetch origin main" or "git fetch origin") and then compare against
origin/main (use "git log origin/main..HEAD" / "git diff origin/main..HEAD") so
branch detection and env/file-change checks are based on up-to-date remote main;
keep the existing branch verification step ("git branch --show-current" and
abort if main) and the push guidance ("git push -u origin <branch-name>")
unchanged.

.github/workflows/deploy-prod.yml (1)

41-44: Pin the OPA CLI version instead of latest.

The setup action explicitly supports fixed versions and SemVer ranges in addition to latest. For a production gate, locking this to a tested version or minor series will avoid surprise failures when upstream OPA releases change behavior. (github.com)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy-prod.yml around lines 41 - 44, Replace the unpinned
OPA CLI install in the workflow where the action open-policy-agent/setup-opa@v2
is used with a pinned version value instead of "latest"; update the input key
"version" to a fixed release (or a SemVer range like a minor series) and keep
the subsequent test step (opa test prod/ -v) intact so the CI uses a
reproducible OPA binary for production gates.

.github/workflows/deploy-dev.yml (1)

31-34: Avoid the moving latest OPA target.

open-policy-agent/setup-opa supports latest, but it also supports explicit versions and SemVer ranges. Pinning to a tested version or minor line will keep this gate reproducible when new OPA releases land. (github.com)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy-dev.yml around lines 31 - 34, The workflow uses
open-policy-agent/setup-opa@v2 with version: latest which is a moving target;
replace the moving "latest" pin with a specific OPA version or a SemVer range
you trust (e.g., a tested minor line) in the setup step that currently
references open-policy-agent/setup-opa@v2 and version: latest, then verify the
change by running the existing opa test dev/ -v step to ensure compatibility.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude/commands/address-pr-feedback.md:
- Around line 26-32: Step 5 currently only covers threaded replies for inline
review comments and omits handling for general PR comments and review-body
feedback; update Step 5 to route responses by source type: for inline review
comments use the gh api
"repos/{owner}/{repo}/pulls/{pr}/comments/{comment_id}/replies" POST flow, for
general PR comments use gh pr comment {pr} --body "...", and for review-body
feedback use gh pr review {pr} --comment --body "..." (or use the PUT review API
to update an existing review body); replace the single inline-only example with
these three targeted response commands and brief message templates so each
fetched comment type has a clear reply path.

In @.github/actions/rego-lint/action.yml:
- Around line 21-27: The git diff command uses origin/${{ github.base_ref }}
which is empty for push/workflow_dispatch; add a BASE_REF variable and fall back
when github.base_ref is empty (e.g., to origin/main or a sensible default) and
use that in the git diff invocation that populates FILES; update the script
around the FILES assignment (and keep the DIRS and GITHUB_OUTPUT logic) to
reference BASE_REF instead of directly referencing github.base_ref so the action
works for push/dispatch events as well.

In @.github/workflows/deploy-dev.yml:
- Around line 12-14: The workflow currently sets id-token: write at the
top-level permissions so every job (including lint and test) gets OIDC write
access; change this by keeping contents: read at the top-level permissions and
removing id-token: write there, then add a permissions block to the deploy job
(the job named "deploy") that includes id-token: write (and contents: read if
that job also needs it) so only the deploy job can request OIDC tokens.
- Around line 21-24: The workflow uses mutable action tags (actions/checkout@v4,
open-policy-agent/setup-opa@v2, EnforceAuth/deploy-action@v1 and other
actions/checkout@v4 occurrences) which must be pinned to immutable full commit
SHAs; for each referenced action (e.g., actions/checkout@v4,
open-policy-agent/setup-opa@v2, EnforceAuth/deploy-action@v1) replace the tag
with the corresponding full-length commit SHA (and you may keep the tag as a
comment for readability, e.g., "# v4.2.2"), update every occurrence in the
workflow (all checkout usages) and ensure any external action references are
pinned to their commit SHAs to satisfy the security hardening guidance.

In @.github/workflows/deploy-prod.yml:
- Around line 22-24: Move the workflow-level id-token permission down to only
the jobs that need OIDC: remove "id-token: write" from the top-level permissions
block and add "permissions: id-token: write" to the job definitions that run
EnforceAuth/deploy-action@v1 (the dry-run and deploy jobs). Keep "contents:
read" at workflow level (or add job-level if you prefer), and ensure the lint
and test jobs do not include id-token so they run with least privilege.
- Around line 31-34: Replace mutable tags with full 40-char commit SHAs for all
external actions used in the production workflow: change actions/checkout@v4
(all occurrences referenced), open-policy-agent/setup-opa@v2, and
EnforceAuth/deploy-action@v1 to their pinned full-length commit SHAs; leave
local action ./ .github/actions/rego-lint unchanged. Locate the occurrences of
actions/checkout (three places), open-policy-agent/setup-opa, and
EnforceAuth/deploy-action in the workflow YAML and replace the tag syntax (e.g.,
`@v4`, `@v2`, `@v1`) with the corresponding 40-character commit SHA strings.

In @.github/workflows/deploy-stage.yml:
- Around line 31-34: Replace the non-deterministic OPA installer version in the
workflow: locate the open-policy-agent/setup-opa@v2 step (the `with: version:`
entry) and change `latest` to a pinned SemVer range such as "1.15" or "1.15.x"
so the action installs a stable OPA minor (allowing patches) instead of the
`latest` tag, then run the workflow to verify `opa test stage/ -v` still works.

In @.github/workflows/pr-check.yml:
- Around line 49-52: The workflow currently uses the Open Policy Agent action
with "version: latest" in three jobs (the open-policy-agent/setup-opa@v2 step),
which makes PR checks non-deterministic; update each occurrence of version:
latest (the setup step in all three env test jobs) to a pinned release like
version: v0.66.0 so the OPA version is deterministic across runs and tests
(replace all three instances).

---

Nitpick comments:
In @.claude/commands/commit.md:
- Around line 30-37: Update the commit guidance to show using two -m flags for
subject and body when a body is required: change the example currently showing a
single git commit -m "<message>" into a form that demonstrates git commit -m
"subject" -m "body" (so readers know how to supply a one-line subject and a
separate body) and update the surrounding text at "If the change is substantial,
add a body paragraph..." to reference this two -m approach; keep the subject
length guidance as-is.

In @.claude/commands/pr.md:
- Around line 9-19: Fetch the remote main branch before comparing ranges:
replace local-only checks that use "git log main..HEAD --oneline" and "git diff
main..HEAD --stat" with a step that runs a fetch (e.g., "git fetch origin main"
or "git fetch origin") and then compare against origin/main (use "git log
origin/main..HEAD" / "git diff origin/main..HEAD") so branch detection and
env/file-change checks are based on up-to-date remote main; keep the existing
branch verification step ("git branch --show-current" and abort if main) and the
push guidance ("git push -u origin <branch-name>") unchanged.

In @.github/workflows/deploy-dev.yml:
- Around line 31-34: The workflow uses open-policy-agent/setup-opa@v2 with
version: latest which is a moving target; replace the moving "latest" pin with a
specific OPA version or a SemVer range you trust (e.g., a tested minor line) in
the setup step that currently references open-policy-agent/setup-opa@v2 and
version: latest, then verify the change by running the existing opa test dev/ -v
step to ensure compatibility.

In @.github/workflows/deploy-prod.yml:
- Around line 41-44: Replace the unpinned OPA CLI install in the workflow where
the action open-policy-agent/setup-opa@v2 is used with a pinned version value
instead of "latest"; update the input key "version" to a fixed release (or a
SemVer range like a minor series) and keep the subsequent test step (opa test
prod/ -v) intact so the CI uses a reproducible OPA binary for production gates.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d22098ef-d25b-47d6-a9a9-58be7fe819c2

📥 Commits

Reviewing files that changed from the base of the PR and between fa20059 and d60ed00.

📒 Files selected for processing (10)

• .claude/commands/address-pr-feedback.md
• .claude/commands/commit.md
• .claude/commands/handoff.md
• .claude/commands/pr.md
• .claude/commands/review.md
• .github/actions/rego-lint/action.yml
• .github/workflows/deploy-dev.yml
• .github/workflows/deploy-prod.yml
• .github/workflows/deploy-stage.yml
• .github/workflows/pr-check.yml

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.claude/commands/address-pr-feedback.md (1)

111-111: Prefer “Needs user input” for clearer wording.

Line 111 reads more naturally with “Needs user input”.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/commands/address-pr-feedback.md at line 111, Replace the ambiguous
label "Needs input" with the clearer phrasing "Needs user input" in the text
(the string "Needs input" appears on the line highlighted in
.claude/commands/address-pr-feedback.md); update that exact token so all
occurrences use "Needs user input" to improve clarity.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude/commands/address-pr-feedback.md:
- Around line 74-85: Update the "false positives" section to include the missing
review-body feedback channel example: add a review-body level command (similar
to the inline and general examples) that shows using "gh pr review {pr}
--comment --body \"<explanation of why this is safe>\"" so the section now
demonstrates inline, general, and review-body options; edit the block around the
"For false positives:" paragraph and ensure the new example matches the
style/formatting of the other examples in that section.

---

Nitpick comments:
In @.claude/commands/address-pr-feedback.md:
- Line 111: Replace the ambiguous label "Needs input" with the clearer phrasing
"Needs user input" in the text (the string "Needs input" appears on the line
highlighted in .claude/commands/address-pr-feedback.md); update that exact token
so all occurrences use "Needs user input" to improve clarity.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 68878959-5bd7-4db4-afd7-aa415bc353f4

📥 Commits

Reviewing files that changed from the base of the PR and between d60ed00 and a901960.

📒 Files selected for processing (6)

• .claude/commands/address-pr-feedback.md
• .github/actions/rego-lint/action.yml
• .github/workflows/deploy-dev.yml
• .github/workflows/deploy-prod.yml
• .github/workflows/deploy-stage.yml
• .github/workflows/pr-check.yml

✅ Files skipped from review due to trivial changes (2)

• .github/workflows/deploy-stage.yml
• .github/workflows/pr-check.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/deploy-dev.yml
• .github/actions/rego-lint/action.yml

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/deploy-prod.yml (1)

30-30: ⚠️ Potential issue | 🟠 Major

Pin actions/checkout to immutable SHAs.

actions/checkout@v4 is still tag-pinned in three places; pinning to full commit SHAs is still pending hardening. Keep EnforceAuth/deploy-action@v1 as-is for now per current repo decision.

Based on learnings: In this repo’s GitHub Actions workflows, SHA-pin external third-party actions, while deferring SHA pinning for EnforceAuth/deploy-action@v1 until its v1 SHA is finalized.

Also applies to: 43-43, 76-76

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy-prod.yml at line 30, The workflow currently uses
the tag-pinned action reference actions/checkout@v4 in multiple places; replace
each occurrence of actions/checkout@v4 (the checkout step at the references in
the diff) with the equivalent full commit SHA pinned ref
(actions/checkout@<full-commit-sha>) to harden the workflow—do this for all
three occurrences noted in the workflow (the checkout steps shown at the three
locations), but leave EnforceAuth/deploy-action@v1 unchanged per repo decision.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/deploy-prod.yml:
- Line 12: The workflow currently allows manual dispatch from any ref
(workflow_dispatch) but the dry-run and deploy jobs ("dry-run" and "deploy")
lack branch guards; update those job definitions to include an if condition that
restricts execution to the main branch (for example: if: github.ref ==
'refs/heads/main') so manual dispatches from non-main refs cannot run the
dry-run or deploy jobs; locate the job blocks named dry-run and deploy and add
the if guard to each.

---

Duplicate comments:
In @.github/workflows/deploy-prod.yml:
- Line 30: The workflow currently uses the tag-pinned action reference
actions/checkout@v4 in multiple places; replace each occurrence of
actions/checkout@v4 (the checkout step at the references in the diff) with the
equivalent full commit SHA pinned ref (actions/checkout@<full-commit-sha>) to
harden the workflow—do this for all three occurrences noted in the workflow (the
checkout steps shown at the three locations), but leave
EnforceAuth/deploy-action@v1 unchanged per repo decision.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3e6a55ac-07c1-4c87-9688-766ebe48c048

📥 Commits

Reviewing files that changed from the base of the PR and between a901960 and 26683ef.

📒 Files selected for processing (4)

• .github/workflows/deploy-dev.yml
• .github/workflows/deploy-prod.yml
• .github/workflows/deploy-stage.yml
• .github/workflows/pr-check.yml

✅ Files skipped from review due to trivial changes (2)

• .github/workflows/deploy-stage.yml
• .github/workflows/deploy-dev.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/pr-check.yml

[boorad]

@coderabbitai Fixed — changed "Needs input" to "Needs user input" on line 111 of address-pr-feedback.md.

[boorad]

@coderabbitai Fixed — pinned actions/checkout@v4 to commit SHA 34e114876b0b11c390a56381ad16ebd13914f8d5 across all 3 occurrences in deploy-prod.yml. EnforceAuth/deploy-action@v1 left as-is per repo decision.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@boorad Thanks for the update! The change from "Needs input" to "Needs user input" on line 111 of address-pr-feedback.md looks good — that phrasing is clearer and more explicit for readers of the command document.

---

🧠 Learnings used

Learnt from: boorad
Repo: EnforceAuth/ea-commerce PR: 1
File: .github/workflows/deploy-dev.yml:21-24
Timestamp: 2026-04-16T01:41:36.086Z
Learning: In the EnforceAuth/ea-commerce repository, the EnforceAuth/deploy-actionv1 SHA pinning is intentionally deferred because the action is first-party and its v1 tag SHA is not yet verified/finalized. This is tracked as a follow-up task. The other external actions (actions/checkout, open-policy-agent/setup-opa, dorny/paths-filter) can be pinned independently.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

Let me quickly verify the SHA used for actions/checkout@v4 is correct.

---

🏁 Script executed:

#!/bin/bash
# Verify the SHA against actions/checkout v4 tags
gh api repos/actions/checkout/git/ref/tags/v4 --jq '.object.sha'
echo "---"
# Also check the latest v4.x tags
gh api repos/actions/checkout/tags --jq '.[].name' | grep "^v4" | head -10
echo "---"
# Look up the specific SHA provided
gh api repos/actions/checkout/commits/34e114876b0b11c390a56381ad16ebd13914f8d5 --jq '.sha + " - " + .commit.message' 2>/dev/null || echo "SHA not found or not accessible"

Length of output: 208

---

@boorad: Confirmed ✅ — the SHA 34e114876b0b11c390a56381ad16ebd13914f8d5 is exactly what refs/tags/v4 resolves to in the actions/checkout repository, so all 3 occurrences in deploy-prod.yml are correctly pinned. Leaving EnforceAuth/deploy-action@v1 unpinned is consistent with the existing repo decision (tracked as a follow-up).

---

🧠 Learnings used

Learnt from: boorad
Repo: EnforceAuth/ea-commerce PR: 1
File: .github/workflows/deploy-dev.yml:21-24
Timestamp: 2026-04-16T01:41:36.086Z
Learning: In the EnforceAuth/ea-commerce repository, the EnforceAuth/deploy-actionv1 SHA pinning is intentionally deferred because the action is first-party and its v1 tag SHA is not yet verified/finalized. This is tracked as a follow-up task. The other external actions (actions/checkout, open-policy-agent/setup-opa, dorny/paths-filter) can be pinned independently.