Skip to content

feat(standards): fleet caller stubs for the idea→initiative pipeline#499

Merged
don-petry merged 1 commit into
mainfrom
feat/fleet-idea-pipeline-stubs
Jun 20, 2026
Merged

feat(standards): fleet caller stubs for the idea→initiative pipeline#499
don-petry merged 1 commit into
mainfrom
feat/fleet-idea-pipeline-stubs

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Summary

Adds the public-repo half of fleet-enabling the idea→initiative pipeline (epic petry-projects/.github-private#817, Option A). Three thin caller stubs + their dispatch reusables let any BMAD-enabled repo run the pipeline against its own Ideas Discussions, while the BMAD frameworks and planning logic stay vendored once in .github-private.

This delivers the pieces that the .github-private-side PRs (#827, #828, #829) could not create — dev-lead runs there can't write to this public repo, so #820 closed on only a lint.yml one-liner and #821 closed with its public stubs still missing. This PR is their real deliverable.

What's here

Stub (standards/workflows/) Reusable (.github/workflows/) Trigger → action
initiative-planner.yml initiative-planner-reusable.yml discussion [labeled] idea:approved (trusted actor) → dispatch central planner with target_repo=<host>
idea-triage.yml idea-triage-reusable.yml weekly + dispatch → dispatch central triage with target_repo=<host>
idea-enhancer.yml idea-enhancer-reusable.yml new Ideas Discussion + weekly → dispatch central enhancer with target_repo=<host>

Design

  • Pattern: thin stub → reusable that dispatches the central workflow, mirroring pr-review-mention. claude-code-action aborts on discussion event contexts (the feat: implement issue #580 — Retire/delineate the detection-based apply-rulesets.sh — it diverges from the codified ruleset (#575 debt) #591 root cause), so the reusables re-dispatch the central workflow_dispatch rather than plan inline.
  • Cross-repo writes rely on the central workflows' target_repo parameterization (now on main via #827/#829) + the GH_PAT_WORKFLOWS PAT for dispatch (GITHUB_TOKEN can't start a workflow_dispatch run — loop prevention).
  • Adoptable, not force-deployed: like feature-ideation.yml, these are not in DEPLOYABLE_WORKFLOWS. BMAD repos opt in (the S8 pilot/rollout drives adoption). No fanout on merge.

Release follow-ups (not in this PR)

  • Cut the channel tags initiative-planner/stable, idea-triage/stable, idea-enhancer/stable (+ vX.Y.Z) so adopting repos' @*/stable pins resolve.
  • S8 (.github-private#825) adds the ci-standards.md section + pipeline-doc diagram + one-repo pilot.
  • S1 (#818, GitHub App creds) refines the cross-repo token from GH_PAT_WORKFLOWS to a least-privilege App token.

Refs petry-projects/.github-private#817, #820, #821

🤖 Generated with Claude Code

@don-petry don-petry requested a review from a team as a code owner June 20, 2026 18:43
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jun 20, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 12 minutes and 50 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ba9d3f1f-17df-4f30-a43f-a682851504a9

📥 Commits

Reviewing files that changed from the base of the PR and between b8ce5a2 and 20d8f80.

📒 Files selected for processing (6)
  • .github/workflows/idea-enhancer-reusable.yml
  • .github/workflows/idea-triage-reusable.yml
  • .github/workflows/initiative-planner-reusable.yml
  • standards/workflows/idea-enhancer.yml
  • standards/workflows/idea-triage.yml
  • standards/workflows/initiative-planner.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/fleet-idea-pipeline-stubs

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@don-petry don-petry enabled auto-merge (squash) June 20, 2026 18:44
@don-petry don-petry disabled auto-merge June 20, 2026 18:44

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces the GitHub Advanced Security (GHAS) Standard document detailing org-wide enablement, licensing, and verification procedures, alongside cross-reference updates in other standards. It also adds three new workflow stubs for central automation. Feedback focuses on correcting the gh api jq filters to properly parse the code_security_configurations payload and refining the canary cleanup script to avoid accidentally resolving unrelated open security alerts.

Comment thread standards/advanced-security.md
Comment thread standards/advanced-security.md
Comment thread standards/advanced-security.md
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning
## Summary
**No actionable issues found.**
The SonarCloud quality gate **PASSED** with:
- ✅ 0 New issues
- ✅ 0 Accepted issues  
- ✅ 0 Security Hotspots
**CI status:** All checks passing (no failures or blocked reviews)
The PR adds 6 workflow definition files (376 lines of YAML) as part of the idea→initiative pipeline stubs feature. SonarCloud analysis completed successfully with no findings.
**No changes needed.**

@don-petry don-petry enabled auto-merge (squash) June 20, 2026 18:45
@donpetry-bot

Copy link
Copy Markdown
Contributor

Advisory bots were rate-limited; auto-approval is withheld until they recover. pr-review-sweep will re-review this PR after 2026-06-20T19:47:42Z.

@don-petry don-petry disabled auto-merge June 20, 2026 18:49
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (applied)

Changes committed and pushed.

@don-petry don-petry enabled auto-merge (squash) June 20, 2026 18:50
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jun 20, 2026
Adds the public-repo half of the fleet enablement (epic petry-projects/.github-private#817):
thin caller stubs + dispatch reusables so any BMAD-enabled repo can run the
idea→initiative pipeline against its own Discussions, while the BMAD frameworks
and planning logic stay vendored once in .github-private.

- initiative-planner: on `idea:approved` (trusted actor), re-dispatch the central
  BMAD Scrum Master with the host repo as target_repo (closes the real
  deliverable of #820 — #828 only landed a lint.yml fix).
- idea-triage / idea-enhancer: weekly + new-Discussion triggers that dispatch the
  central target_repo-parameterized workflows (the real deliverable of #821).

All three follow the pr-review-mention pattern (thin stub → reusable that dispatches
to .github-private). claude-code-action can't run on `discussion` events, so the
reusables dispatch the central workflow_dispatch rather than plan inline.

Stubs are adoptable templates (like feature-ideation.yml), not in
DEPLOYABLE_WORKFLOWS — BMAD repos opt in. Channel tags (initiative-planner/stable,
idea-triage/stable, idea-enhancer/stable) to be cut on release.

Refs petry-projects/.github-private#817, #820, #821

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@sonarqubecloud

Copy link
Copy Markdown

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@don-petry don-petry enabled auto-merge (squash) June 20, 2026 18:58
@don-petry

Copy link
Copy Markdown
Contributor Author

@donpetry-bot please review — code-owner approval needed to merge. CI is green; this PR adds only the three idea→initiative fleet caller stubs + their dispatch reusables.

@donpetry-bot

Copy link
Copy Markdown
Contributor

@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes.

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: MEDIUM
Reviewed commit: 20d8f80a071d619942105584d611cf7a561eef19
Review mode: triage-approved (single reviewer)

Summary

Adds 6 new workflow files (3 thin caller stubs under standards/workflows/ + 3 dispatch reusables under .github/workflows/) that fleet-enable the idea→initiative pipeline by re-dispatching the central petry-projects/.github-private workflows with the caller repo as target_repo. Additive only (376 lines, 0 deletions). Confirms the triage low-risk assessment.

Linked issue analysis

No linked closing issues (closingIssuesReferences empty). PR body references epic .github-private#817 and prior PRs #820/#821 as context; this PR is the public-repo deliverable those .github-private runs could not create. Scope matches the stated intent — caller stubs + dispatch reusables, no central logic duplicated.

Findings

No blocking findings. Workflows are well-hardened: (1) all untrusted inputs (actor login, discussion number, target repo) are passed via env: rather than inline ${{ }} expansion, avoiding script injection; (2) the privileged initiative-planner validates the discussion number against ^[1-9][0-9]$ before the gh call and gates dispatch behind a trusted-actor check (collaborators/{actor}/permission API, admin|write only); (3) permissions: {} on every job; (4) PAT-presence guards fail fast. The reusables are pinned to moving channel tags (@/stable) rather than SHAs — this is the documented, intentional org pattern for first-party reusable workflows (mirrors pr-review-mention), not an action-pinning violation. secrets: inherit is the established pattern for these stubs. Stale Gemini inline comments target standards/advanced-security.md, which is not in this diff, and were already addressed by the author. MCP secret-scan was unavailable (permission not granted); noted and non-blocking — the gitleaks CI check passed and the files contain only references to secrets.GH_PAT_WORKFLOWS, no secret values.

CI status

All checks green: CodeQL Analyze (actions) SUCCESS, AgentShield SUCCESS, Agent Security Scan SUCCESS, SonarCloud Quality Gate passed (0 new issues, 0 security hotspots), Secret scan (gitleaks) SUCCESS, ShellCheck SUCCESS, Lint SUCCESS. Dependency-audit language jobs SKIPPED (no matching ecosystems). mergeStateStatus is BLOCKED solely due to the required org-leads team review (REVIEW_REQUIRED human gate), not any failing check.


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

@don-petry don-petry merged commit 4d05546 into main Jun 20, 2026
22 checks passed
@don-petry don-petry deleted the feat/fleet-idea-pipeline-stubs branch June 20, 2026 19:02

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: MEDIUM
Reviewed commit: 20d8f80a071d619942105584d611cf7a561eef19
Review mode: triage-approved (single reviewer)

Summary

Adds 6 new, additive workflow files (376 lines, 0 deletions): 3 thin caller stubs under standards/workflows/ (idea-enhancer, idea-triage, initiative-planner) plus their 3 dispatch reusables under .github/workflows/. The stubs are adoptable templates (not in DEPLOYABLE_WORKFLOWS); the reusables re-dispatch the central petry-projects/.github-private pipeline workflows with the caller repo as target_repo. Confirms the triage low-risk assessment.

Linked issue analysis

No linked closing issues (closingIssuesReferences empty). PR body references epic .github-private#817 and prior PRs #820/#821 as context — this PR is the public-repo deliverable those .github-private dev-lead runs could not create (they lack write access here). Scope matches the stated intent: caller stubs + dispatch reusables only, with no central planning logic duplicated.

Findings

No blocking findings. Workflows are well-hardened: (1) every untrusted input (actor login, discussion number, target repo, central repo) is passed via env: rather than inline ${{ }} expansion in run scripts, avoiding script injection; (2) initiative-planner-reusable validates the discussion number against ^[1-9][0-9]$ before the gh call and gates dispatch behind a trusted-actor check (collaborators/{actor}/permission API, admin|write only) since the discussion 'labeled' payload carries no author_association; (3) permissions: {} on every job; (4) PAT-presence guards fail fast; (5) idea-enhancer-reusable's discussion trigger is scoped to the 'ideas' category and skips Bot-authored discussions. The reusables are pinned to moving channel tags (@/stable), the documented org pattern for first-party reusable workflows (mirrors pr-review-mention) and explicitly mandated by the stub headers — not an action-pinning violation. secrets: inherit is the established stub pattern. Advisory bots returned nothing actionable: SonarCloud passed (0 issues/hotspots), Codex and CodeRabbit were rate-limited, and the Gemini inline comments target standards/advanced-security.md, which is not in this diff. MCP secret-scan was unavailable (permission not granted) — noted and non-blocking; the gitleaks CI check passed and the diff contains only references to secrets.GH_PAT_WORKFLOWS, no secret values.

CI status

All required checks green: CodeQL Analyze (actions) SUCCESS, AgentShield SUCCESS, Agent Security Scan SUCCESS, SonarCloud Quality Gate passed, Secret scan (gitleaks) SUCCESS, ShellCheck SUCCESS, Lint SUCCESS, pr-auto-review check-and-dispatch SUCCESS, dev-lead dispatch SUCCESS. Dependency-audit language jobs (npm/pnpm/pip/cargo/go) SKIPPED — no matching ecosystems. reviewDecision is APPROVED; merge remains gated on the required human/org-leads review, not any failing check.


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

don-petry added a commit that referenced this pull request Jun 21, 2026
…n audit (#503)

* ci(dev-lead): pin .github caller to @dev-lead/ring0 + teach audit ring channels

Staged canary rollout of dev-lead v1.4.0 (versioning.md Phase 2, #499/#500).

- .github/workflows/dev-lead.yml: pin the dev-lead caller to the new
  dev-lead/ring0 channel (+ agent_ref: dev-lead/ring0). This repo previously
  pinned @main (bleeding edge); ring0 gives it a controlled canary slot that
  rolls forward/back via a central tag move.
- scripts/compliance-audit.sh (check_dev_lead_stub): accept the staged-canary
  channels dev-lead/{stable,next,ring<N>} for both the uses: pin and agent_ref,
  not just stable. Still rejects @main and frozen @vX.Y.Z/@<sha> (callers must
  pin a moving channel). Needed so ring-pinned consumers (e.g. TalkTerm@ring1)
  aren't flagged dev-lead-stub-pin.

Ring plan: .github-private→next · .github→ring0 · TalkTerm→ring1 · rest→stable.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(reviews): address review comments [skip ci-relay]

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Don Petry Bot <donpetry+bot@gmail.com>
don-petry added a commit that referenced this pull request Jun 24, 2026
…DR (#869) (#520)

* docs(standards): formalize the agent canary-ring/soak/promotion model + ADR (#869)

The rings model in ci-standards.md was documented aspirationally and as a
cut-release.sh-only (manual) process. dev-lead v1.4.0 has now shipped end-to-end
through the automated, health-gated pipeline, so promote the standard to match:

- Ring table → the canonical host-relative model: next=host, ring0=other org-infra
  repo, ring1=named low-traffic consumers, stable=rest. Points at canary-rings.json
  as the membership SoT.
- "Rollout status" → reflects the built automation: canary-rollout.sh + the 4h
  evaluate / dispatch-gated promote, the concrete soak gate (healthy >= ceil(baseline/7)
  AND failure-rate <= baseline, no floor), rollback mechanics, and the codified
  release-channel-tags ruleset (apply-rulesets.sh).
- New ADR docs/initiatives/agent-canary-rings-adr.md — records the decision +
  rationale (immutable releases + moving channels, host-relative rings, health-gated
  promotion, circular-dependency fix).

DRAFT until the host-repo implementation PRs land (.github-private #878 canary-rollout,
#889 ruleset codify, #880 SHA-pin guardrail) — this standard references them.

Closes #869. Refs #495, #499, #500, #501, #502, #868.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(bot): address bot feedback [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Don Petry Bot <donpetry+bot@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants