docs(github-settings): reconcile §243 required-checks table to codified code-quality (#575)#579
Conversation
…ed code-quality (#575) The required-checks table claimed Coverage + Secret Scan + Dev-Lead Agent as required "All repos" while omitting agent-shield + dependency-audit — out of sync with the codified standards/rulesets/code-quality.json (4 contexts). Reconcile to the codified set and document the safe sequencing. - Point the section at standards/rulesets/code-quality.json as the source of truth. - Required (codified): SonarCloud, CodeQL, agent-shield/AgentShield, dependency-audit/Detect ecosystems (note: only the unconditional Detect job). - Reclassify: Secret Scan + Coverage → template/new repos, NOT yet fleet-wide (added to the ruleset only after a coverage backfill — requiring them now bricks repos lacking the jobs); Dev-Lead Agent → not a required context (per-PR review; requiring it deadlocks workflow-touching PRs); CI Pipeline → repo-specific. - Add a "Sequencing" note explaining why Secret Scan + Coverage are staged. Docs-only; markdownlint clean. Depends on #577 (adds standards/rulesets/). Part of #575 (folded-in from closed #1001). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Review limit reached
Next review available in: 44 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughDocumentation in standards/github-settings.md is rewritten to describe the code-quality ruleset's required checks as dynamically derived from apply-rulesets.sh's detect_required_checks() function, narrowing the required merge-gate contexts to SonarCloud, CodeQL, AgentShield, and Dependency Audit, while deferring Secret Scan and Coverage. ChangesRequired check documentation rewrite
Estimated code review effort: 1 (Trivial) | ~5 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
There was a problem hiding this comment.
Code Review
This pull request updates the documentation in standards/github-settings.md to clarify the required checks ruleset and explain why certain checks like coverage and secret scanning are staged. The review feedback highlights several inaccuracies in the updated documentation: the description of how apply-rulesets.sh functions is technically inaccurate, there is a mismatch between the documented SonarCloud check name and what the script dynamically applies, and the template ci.yml does not actually produce a separate coverage check out of the box.
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
There was a problem hiding this comment.
Pull request overview
Updates the org standards documentation in standards/github-settings.md to realign the code-quality required-checks table with the intended codified ruleset, and to document why some checks (coverage/secret scan/dev-lead) are staged or intentionally excluded from the fleet-wide ruleset.
Changes:
- Adds a “codified source of truth” pointer for
code-qualityrequired checks and reconciles the table to the intended 4 required contexts. - Reclassifies Secret Scan, Coverage, Dev-Lead Agent, and CI Pipeline as not currently codified fleet-wide, with rationale.
- Adds a sequencing note explaining why new required contexts must be staged (backfill first, then enforce).
Dev-Lead — fix-reviews (applied)Changes committed and pushed. |
Dev-Lead — waiting on PR blockers (intent: review-changes)PR: #579 |
|
Note @don-petry I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically. |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@standards/github-settings.md`:
- Around line 265-281: Clarify the scope of the required-checks table so it
matches detect_required_checks() and apply-rulesets.sh: this section should not
claim the listed checks apply to every repo if Dev-Lead Agent and Secret Scan
are only added when their workflows exist. Update the wording in
standards/github-settings.md to explicitly say this table covers only the
unconditional fleet-wide required contexts, or restore the conditional entries
if that was the intended scope, and keep the check names aligned with
detect_required_checks().
- Around line 278-289: The coverage rollout guidance is internally inconsistent:
one paragraph says the template ci.yml does not produce the coverage check,
while the Sequencing section says the template now ships both jobs for new
repos. Update the copy around Coverage and the Sequencing note so they agree on
whether ci.yml produces coverage today, and keep the staged ruleset/backfill
guidance aligned with that final state.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 3ff99f57-ef4a-4c62-9d6e-b8f9bc222905
📒 Files selected for processing (1)
standards/github-settings.md
Dev-Lead — fix-reviews (applied)Changes committed and pushed. |
Dev-Lead — review-changes (applied)Changes committed and pushed. |
|
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 5b30e259a9d27efe6d1a57db6cc7c464db21c2c8
Review mode: triage-approved (single reviewer)
Summary
Docs-only change (1 file, +33/−11) to standards/github-settings.md §code-quality: reconciles the drifted required-checks table to the codified ruleset set (SonarCloud, CodeQL, AgentShield, dependency-audit Detect job), reclassifies Secret Scan/Coverage/Dev-Lead Agent/CI Pipeline as staged or non-codified, and adds a sequencing note explaining the staged rollout. Triage assessment confirmed correct.
Linked issue analysis
References #575 (open — relocate compliance rulesets to standards/rulesets/). This PR addresses the documentation-reconciliation slice of that work; it intentionally does not close the issue. The residual apply-rulesets.sh divergence is tracked as a follow-up in .github-private#1013, per the PR body.
Findings
- No blocking findings. Docs-only; no code, workflow, or secret-bearing changes.
- Verified all relative links and anchors in the changed section resolve at head SHA:
workflows/ci.yml,ci-standards.md,push-protection.md, and the#source-of-truth--repo-boundaryanchor (which already exists on main, so the anchor holds even if this merges before #577). - The PR body says "merge #577 first" — that dependency only affects a link in the PR body (to
standards/rulesets/code-quality.json, added by #577), not the doc content in this diff. Harmless either way; noting the author's stated ordering preference. - All 7 prior bot review threads (gemini, Copilot, CodeRabbit) are resolved; the CodeRabbit CHANGES_REQUESTED review was addressed by subsequent commits and dismissed. No unanswered human-reviewer questions.
- Secret-scanning MCP tool not available in this run; the gitleaks CI check passed (SUCCESS), so no gap.
CI status
All checks green: SonarCloud, CodeQL, agent-shield / AgentShield, Detect ecosystems, Lint, ShellCheck, Secret scan (gitleaks), Agent Security Scan, npm audit, CodeRabbit. Ecosystem-gated audits (pip/cargo/pnpm/govulncheck) skipped as expected. mergeStateStatus is BLOCKED pending review approval only.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.



Summary
Reconciles the
code-qualityrequired-checks table (github-settings.md§243) to the codifiedstandards/rulesets/code-quality.json, and documents the safe sequencing for the staged checks. Folded in from closed #1001.The table had drifted: it claimed Coverage + Secret Scan + Dev-Lead Agent as required "All repos" while omitting agent-shield + dependency-audit — the opposite of what the codified ruleset enforces.
Reconciled to the codified set
Required (codified in
code-quality.json):SonarCloud,CodeQL,agent-shield / AgentShield,dependency-audit / Detect ecosystems(note: only the unconditional Detect job — per-ecosystem jobs are lockfile-gated and would fail as required-but-skipped).Reclassified (intentionally NOT in the ruleset today):
ci.yml(this series); template/new repos only, not yet fleet-wide — added to the ruleset after a coverage backfill (requiring them now bricks repos without the jobs — the Relocate org-wide compliance rulesets (code-quality, pr-quality) from .github-private to .github/standards/rulesets/ #575 finding).Adds a Sequencing note explaining why Secret Scan + Coverage are staged.
Notes
standards/rulesets/) for the source-of-truth link to resolve — merge chore(rulesets): relocate code-quality + pr-quality to standards/rulesets/ (#575) #577 first..github/scripts/apply-rulesets.shstill addsDev-Lead Agent / dev-lead(contra the codified file) is called out in the companion.github-privatePR #1013 as an open follow-up.Part of #575.
🤖 Generated with Claude Code
Summary by CodeRabbit