chore(governance): add governance gates

[chitcommit]

Adds SHA-pinned Governance workflow calling CHITTYFOUNDATION/chittycanon and enables Portfolio Hardening.\n\n- Required for CF Workers Builds portfolios.\n- Enforces CODEOWNERS + hardening gates.\n- Governance SHA: 83a7d1da1cfa5041f18450a6d43ff336068285de

Summary by CodeRabbit

• Chores
  • Added automated governance and hardening validation checks to pull request workflows, ensuring compliance and security standards on submissions to main release branches.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

Warning

Rate limit exceeded

@chitcommit has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 41 minutes and 43 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 41 minutes and 43 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8511c429-2eec-4341-bba2-514a6c61fa21

📥 Commits

Reviewing files that changed from the base of the PR and between 3ce4f56 and 7bd8275.

📒 Files selected for processing (1)

• .github/workflows/governance.yml

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow file is introduced that triggers on pull requests targeting main branches. The workflow executes two jobs by delegating to external reusable workflows: one for governance checks and another for portfolio hardening, each configured with specific parameters.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/governance.yml	New workflow file that triggers on pull requests to main, master, production, and release branches. Defines two jobs: governance calling external reusable workflow with governance_version: main, and hardening calling external reusable workflow with tier: "2".

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A workflow takes shape with governance's grace,
Hardening steps in at a steady pace,
Two jobs unite with external might,
To keep the main branch pure and bright!
The rabbit hops with code in tow,
Let the pull requests safely flow! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly describes the main change: adding governance gates via a new workflow file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/governance-bootstrap-83a7d1d-20260417

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/governance.yml:
- Around line 15-36: Add an explicit permissions block under each job that calls
the reusable workflows (the governance and hardening jobs) to enforce
least-privilege access; for example, add a permissions map (e.g., contents:
read) directly beneath the job keys for "governance" and "hardening" and expand
it only if the referenced reusable workflows
(CHITTYFOUNDATION/chittycanon/...@83a7d1da...) require additional scopes such as
checks, statuses, or security-events—verify and add those specific permissions
rather than relying on repo defaults.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a8e800f3-0acd-4cf2-8d67-58ee55fb6a58

📥 Commits

Reviewing files that changed from the base of the PR and between f238007 and 3ce4f56.

📒 Files selected for processing (1)

• .github/workflows/governance.yml

[chitcommit]

Closing — governance branch protection was removed across all 154 chittyOrg repos (2026-04-23). The governance.yml workflow this PR would add is no longer required, and the gate it was meant to satisfy no longer exists. If governance is re-enabled later with a sustainable approval path (e.g., dual-identity review), the workflow can be re-added deliberately alongside the branch protection change.