ci: address coderabbit review on PR #1 — perms, sha-pin, spdx, actionlint

[sebyx07]

Summary

Addresses all 4 CodeRabbit threads from #1 (which was admin-merged before review was processed — this PR closes the loop).

Thread	Severity	Status
Narrow GITHUB_TOKEN default to read-only	Major	✅ Fixed
Pin all 3rd-party actions to commit SHAs	Major	✅ Fixed (29 refs across ci.yml + labeler.yml)
SPDX check enforces header location (top 15 lines)	Major	✅ Fixed
Register Blacksmith labels in .github/actionlint.yaml	Minor	✅ Fixed

Test plan

• Local: python yaml.safe_load passes on all 3 YAML files
• All 8 action SHAs verified via gh api repos/<owner>/<repo>/commits/<sha>
• CI green on this PR (validates the hardened workflow itself)
• CodeRabbit re-reviews; threads from ci: initial pipeline — rust + bun on blacksmith 4vcpu linux #1 referenced in resolve-replies

Spec refs

• docs/architecture/01-principles.md — Law 7 (SPDX), Law 11 (telemetry)
• PR ci: initial pipeline — rust + bun on blacksmith 4vcpu linux #1 review threads: PRRT_kwDOSgA44s6CqISk, PRRT_kwDOSgA44s6CqISu, PRRT_kwDOSgA44s6CqISy, PRRT_kwDOSgA44s6CqISz

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Pinned CI/CD actions to fixed commits for improved stability.
  • Tightened workflow permissions to read-only where possible.
  • Made license-header checks stricter to ensure SPDX identifiers appear near file starts.
  • Registered specific self-hosted runner labels to avoid false warnings.
  • Simplified internal tooling guidance and updated governance references from 12 to 15 laws.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: cdb5fd19-a2be-4ca9-9d30-0c951f5162bb

📥 Commits

Reviewing files that changed from the base of the PR and between 00bcfff and a79e336.

📒 Files selected for processing (2)

• .coderabbit.yaml
• CLAUDE.md

---

Walkthrough

This PR hardens GitHub Actions security and reproducibility by establishing actionlint runner configuration, tightening CI workflow permissions to read-only defaults, pinning action references to commit SHAs across jobs, and restricting SPDX header detection to the first 15 lines of files.

Changes

GitHub Actions Security and Configuration

Layer / File(s)	Summary
Actionlint runner configuration .github/actionlint.yaml	Populate actionlint configuration with SPDX/copyright headers and register Blacksmith-managed self-hosted runner labels (Ubuntu 2204/2404 with various CPU sizes) to suppress unknown-label warnings.
CI workflow permissions and documentation .github/workflows/ci.yml	Tighten workflow-level permissions from broader write access to contents: read only, and update comments documenting the shift to pinned commit SHAs for action setup.
Rust job action version pinning .github/workflows/ci.yml	Pin all action versions by commit SHA across Rust jobs: actions/checkout, actions-rust-lang/setup-rust-toolchain, useblacksmith/rust-cache, taiki-e/install-action, and actions/upload-artifact.
Bun and docs job action pinning with SPDX refinement .github/workflows/ci.yml	Pin actions/checkout, oven-sh/setup-bun, and useblacksmith/cache to commit SHAs in Bun jobs. Update SPDX verification script to require SPDX-License-Identifier: within the first 15 lines only.
Labeler workflow action pinning .github/workflows/labeler.yml	Pin actions/labeler from @v5 to specific commit SHA for v5.0.0.
CodeRabbit tone_instructions update .coderabbit.yaml, CLAUDE.md	Replace verbose tone_instructions block with a condensed authority-and-citation instruction set and update references from “12 Laws” to “15 Laws” in policy/routing entries.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Actions pinned, permissions tight,
Blacksmith runners now in sight,
SPDX checks scan just the start,
Reproducible CI—a rabbit's art!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main changes: CI fixes responding to CodeRabbit review, covering permissions narrowing, SHA-pinning, SPDX enforcement, and actionlint configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/coderabbit-fixes-pr1

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.coderabbit.yaml:
- Line 18: The file's governance counts are inconsistent: the tone_instructions
entry declares "15 Laws" while other places enforce "12 Laws"; update all
law-count references so they match the intended number (either change
tone_instructions to "12 Laws" or change the other law-count entries to "15
Laws") — locate the keys/values named tone_instructions and the law count fields
(the repeated "Laws" or numeric law-count entries present in the file) and make
them identical across the file, and ensure any accompanying text (e.g., "15
Laws" phrasing) and enforcement lists (the actual law entries) reflect the same
count.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5d8efa0d-a96d-4599-bdd6-031c06eb2b0e

📥 Commits

Reviewing files that changed from the base of the PR and between dcce61e and 00bcfff.

📒 Files selected for processing (1)

• .coderabbit.yaml