Prevent checkout default-branch warnings

[seonghobae]

Summary

• Add a workflow-level Git init.defaultBranch=develop guard before checkout across workflows that use actions/checkout.
• Extend the supply-chain verifier with regression coverage for missing, commented, run-step, and nested-env false-pass cases.
• Keeps pinned action and security gate behavior unchanged while addressing [Security] Residual warning, deprecation, and notice inventory #204.

Verification

• uv run --project services/analysis-engine pytest services/analysis-engine/tests/test_supply_chain_policy.py -q
• uv run --project services/analysis-engine ruff check scripts/checks/verify_supply_chain.py services/analysis-engine/tests/test_supply_chain_policy.py
• python3 scripts/checks/verify_supply_chain.py
• python3 scripts/checks/security_gates.py
• ./scripts/harness/quickcheck.sh

Closes #204

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 98282bf1-1e48-43f0-bd47-e9602681a590

📥 Commits

Reviewing files that changed from the base of the PR and between 06890eb and 06d47f1.

📒 Files selected for processing (2)

• scripts/checks/verify_supply_chain.py
• services/analysis-engine/tests/test_supply_chain_policy.py

---

📝 Walkthrough

Summary by CodeRabbit

릴리스 노트

• Chores

  • CI/CD 워크플로우 전반에 워크플로우 수준 환경변수 추가로 Git 기본 브랜치를 develop로 일관되게 설정

• Tests

  • 체크아웃 기본 브랜치 준수 여부를 확인하는 공급망 정책 검증 로직이 통합되고 이에 대한 신규 테스트 스위트가 추가됨

Walkthrough

GitHub Actions 워크플로우들에 GIT_CONFIG_* 환경변수를 추가해 init.defaultBranch를 develop으로 설정하고, 이 설정의 존재를 강제하는 검증 스크립트와 해당 검증을 입증하는 pytest 테스트들을 추가했습니다.

Changes

Git 초기 분기 가드 적용

Layer / File(s)	Summary
워크플로우 환경 구성 .github/workflows/... (bandit.yml, build-baseline.yml, ci.yml, codeql.yml, dependency-review.yml, ossf-scorecard.yml, release.yml, sbom.yml, secret-scan-gate.yml, security-audit.yml, trivy.yml)	각 워크플로우 최상단에 env 블록을 추가하여 GIT_CONFIG_COUNT: "1", GIT_CONFIG_KEY_0: init.defaultBranch, GIT_CONFIG_VALUE_0: develop을 설정.
검증 스크립트 구현 scripts/checks/verify_supply_chain.py	CHECKOUT_DEFAULT_BRANCH_GUARD_VIOLATION, CHECKOUT_DEFAULT_BRANCH_GUARD_ENV 상수 추가; workflow_top_level_env(content: str) -> dict[str, str]와 verify_checkout_default_branch_guard() -> list[str] 구현; main()에 해당 검증 결과를 통합.
검증 테스트 services/analysis-engine/tests/test_supply_chain_policy.py	워크플로우 파일을 동적으로 작성해 검증 스크립트를 로드하는 다수의 pytest 케이스 추가: 가드 누락, 주석 처리된 가드 무시, 잘못된 위치의 가드(런 블록/잡 레벨/중첩) 거부, 올바른 가드 수용 및 인라인 주석 허용 등 검사.

Sequence Diagram(s)

(생성 조건에 부합하지 않아 생략)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: add multi-arch desktop build baseline #39: verify_supply_chain.py 관련 변경을 포함한 과거 PR — 동일 모듈 수정 유사성.
• Fix Scorecard SARIF upload warnings #198: verify_supply_chain.py에 워크플로우 검사/Scorecard 관련 변경을 추가한 PR — 검증 로직 관련성.
• Harden Scorecard artifact extraction #200: verify_supply_chain.py에 공급망 관련 가드 추가 작업을 한 PR — 유사한 보안 가드 추가 관점에서 관련됨.

Poem

🐰 분기 하나 툭 놓고 말하네,
워크플로우들에 깃말을 심었지,
스크립트는 울타리 되어 살피고,
테스트는 꾹꾹 도장 찍어주네,
개발의 숲에 평온함 한 줌 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	제목이 변경 사항의 주요 내용을 명확하게 요약합니다. 'actions/checkout' 사용 시 Git 기본 분기 경고 방지라는 핵심 목표를 직접적으로 전달합니다.
Description check	✅ Passed	설명이 워크플로우 수준 Git 가드 추가, 공급망 검증기 확장, #204 이슈 해결에 관련된 변경 사항을 적절히 다루고 있습니다.
Linked Issues check	✅ Passed	PR은 #204의 모든 코딩 요구 사항을 충족합니다: 모든 워크플로우에 GIT_CONFIG 환경 변수 추가, verify_supply_chain.py에 검증 로직 구현, 회귀 테스트 9개 추가로 누락/주석 처리/중첩 env 경우를 모두 커버합니다.
Out of Scope Changes check	✅ Passed	모든 변경 사항이 #204 범위 내에 있습니다. 워크플로우 env 설정, 검증 함수, 회귀 테스트는 모두 'init.defaultBranch=develop' 가드 구현이라는 명확한 목표와 관련이 있습니다.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch stepwise/brand-security-program

---

_{Review rate limit: 3/5 reviews remaining, refill in 14 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/checks/verify_supply_chain.py`:
- Around line 401-439: The code falsely flags workflows because
verify_checkout_default_branch_guard simply searches for "actions/checkout@"
anywhere (including commented lines) and workflow_top_level_env only matches a
strict "env:" line and env entries with exactly two spaces. Update
verify_checkout_default_branch_guard to detect actions/checkout@ only on
non-commented lines (e.g., scan lines and ignore lines whose first
non-whitespace char is '#'); update workflow_top_level_env to match the env
header with a tolerant regex like r'^\s*env:\b' so "env: # ..." is accepted, and
accept env entries with any indentation using
r'^\s+([A-Za-z_][A-Za-z0-9_]*):\s*(.*?)\s*$' while still stripping inline
comments and quotes; keep the rest of the logic and use the same
CHECKOUT_DEFAULT_BRANCH_GUARD_ENV and CHECKOUT_DEFAULT_BRANCH_GUARD_VIOLATION
symbols.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4287c9e5-cf29-42e2-aa26-bb3262e05863

📥 Commits

Reviewing files that changed from the base of the PR and between a328295 and 8fbd297.

📒 Files selected for processing (13)

• .github/workflows/bandit.yml
• .github/workflows/build-baseline.yml
• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• .github/workflows/dependency-review.yml
• .github/workflows/ossf-scorecard.yml
• .github/workflows/release.yml
• .github/workflows/sbom.yml
• .github/workflows/secret-scan-gate.yml
• .github/workflows/security-audit.yml
• .github/workflows/trivy.yml
• scripts/checks/verify_supply_chain.py
• services/analysis-engine/tests/test_supply_chain_policy.py

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/checks/verify_supply_chain.py`:
- Around line 435-439: The current guard uses a simple substring check ("if
'actions/checkout@' not in content_without_comments") which causes false
positives when that substring appears in run: commands or string literals;
change the check to only match a uses: step. Replace the substring test with a
regex search on content_without_comments (e.g.
re.search(r'(?m)^\s*uses:\s*(?:["\'])?actions/checkout@',
content_without_comments)) so only lines that declare a uses: action for
actions/checkout are accepted; update the code around content_without_comments
and the if-check accordingly.
- Around line 413-422: The parser is treating any indented "key: value" line as
top-level by using env_line_without_comment.startswith(" ") and a loose regex;
fix it by capturing the base indentation when you enter the env block and only
accept key/value lines whose leading whitespace matches that expected depth.
Concretely: when you detect the env block, record the indentation (e.g.,
base_indent = len(re.match(r"^(\s*)", env_line_without_comment).group(1))) and
change the regex/match check to require that the line begins with exactly
base_indent plus the expected additional indent (or use
r"^\s{N}([A-Za-z_][A-Za-z0-9_]*):\s*(.*?)\s*$" with N computed), then continue
to populate env[match.group(1)] only when that indent test passes.

In `@services/analysis-engine/tests/test_supply_chain_policy.py`:
- Around line 233-271: Add a regression test that covers the top-level env
nested-map bypass: create a new (or extend existing) test similar to
test_supply_chain_check_rejects_nested_checkout_default_branch_guard that writes
a workflow where the workflow's env contains a nested mapping (e.g., env:
CONFIGS: { GIT_CONFIG_COUNT: "1", GIT_CONFIG_KEY_0: init.defaultBranch,
GIT_CONFIG_VALUE_0: develop }) and then call
verify_checkout_default_branch_guard() to assert it returns the same violation
string; reference the test function name
test_supply_chain_check_rejects_top_level_nested_env_checkout_default_branch_guard
(or update the existing
test_supply_chain_check_rejects_nested_checkout_default_branch_guard) and ensure
the expected violation message matches the current assertion text.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d25d76df-4b8f-4ac2-b03f-f9f7564d3e20

📥 Commits

Reviewing files that changed from the base of the PR and between 8fbd297 and 06890eb.

📒 Files selected for processing (2)

• scripts/checks/verify_supply_chain.py
• services/analysis-engine/tests/test_supply_chain_policy.py