Skip to content

docs(github-settings): reconcile §243 required-checks table to codified code-quality (#575)#579

Merged
don-petry merged 4 commits into
mainfrom
docs/reconcile-required-checks-575
Jul 2, 2026
Merged

docs(github-settings): reconcile §243 required-checks table to codified code-quality (#575)#579
don-petry merged 4 commits into
mainfrom
docs/reconcile-required-checks-575

Conversation

@don-petry

@don-petry don-petry commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Reconciles the code-quality required-checks table (github-settings.md §243) to the codified standards/rulesets/code-quality.json, and documents the safe sequencing for the staged checks. Folded in from closed #1001.

The table had drifted: it claimed Coverage + Secret Scan + Dev-Lead Agent as required "All repos" while omitting agent-shield + dependency-audit — the opposite of what the codified ruleset enforces.

Reconciled to the codified set

Required (codified in code-quality.json):

  • SonarCloud, CodeQL, agent-shield / AgentShield, dependency-audit / Detect ecosystems (note: only the unconditional Detect job — per-ecosystem jobs are lockfile-gated and would fail as required-but-skipped).

Reclassified (intentionally NOT in the ruleset today):

Adds a Sequencing note explaining why Secret Scan + Coverage are staged.

Notes

Part of #575.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Documentation
    • Updated the GitHub settings guidance to match how required checks are determined in practice.
    • Clarified which merge checks are currently mandatory on the default branch and which are intentionally deferred.
    • Added guidance on rollout sequencing to help avoid enabling checks too early and blocking repositories.

…ed code-quality (#575)

The required-checks table claimed Coverage + Secret Scan + Dev-Lead Agent as
required "All repos" while omitting agent-shield + dependency-audit — out of sync
with the codified standards/rulesets/code-quality.json (4 contexts). Reconcile to
the codified set and document the safe sequencing.

- Point the section at standards/rulesets/code-quality.json as the source of truth.
- Required (codified): SonarCloud, CodeQL, agent-shield/AgentShield,
  dependency-audit/Detect ecosystems (note: only the unconditional Detect job).
- Reclassify: Secret Scan + Coverage → template/new repos, NOT yet fleet-wide (added
  to the ruleset only after a coverage backfill — requiring them now bricks repos
  lacking the jobs); Dev-Lead Agent → not a required context (per-PR review;
  requiring it deadlocks workflow-touching PRs); CI Pipeline → repo-specific.
- Add a "Sequencing" note explaining why Secret Scan + Coverage are staged.

Docs-only; markdownlint clean. Depends on #577 (adds standards/rulesets/).

Part of #575 (folded-in from closed #1001).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@don-petry don-petry requested a review from a team as a code owner July 2, 2026 14:49
Copilot AI review requested due to automatic review settings July 2, 2026 14:49
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@don-petry, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 44 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 97d84254-81f3-4ea3-a7ff-ab48ea12ed96

📥 Commits

Reviewing files that changed from the base of the PR and between 89b53a5 and 5b30e25.

📒 Files selected for processing (1)
  • standards/github-settings.md
📝 Walkthrough

Walkthrough

Documentation in standards/github-settings.md is rewritten to describe the code-quality ruleset's required checks as dynamically derived from apply-rulesets.sh's detect_required_checks() function, narrowing the required merge-gate contexts to SonarCloud, CodeQL, AgentShield, and Dependency Audit, while deferring Secret Scan and Coverage.

Changes

Required check documentation rewrite

Layer / File(s) Summary
Dynamic construction context
standards/github-settings.md
Adds documentation clarifying that the code-quality ruleset is dynamically constructed per-repo via detect_required_checks(), with the table serving as canonical reference synced to detection logic.
Narrowed required-check table
standards/github-settings.md
Replaces the universal required-check table with SonarCloud, CodeQL, AgentShield, and a simplified Dependency Audit; moves Dev-Lead Agent, Coverage, and Secret Scan to a staged/excluded list with sequencing notes on merge-gate bricking risk.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related issues

Possibly related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly states the docs-only reconciliation of the required-checks table to the codified code-quality source of truth.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/reconcile-required-checks-575

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 14:50
@don-petry don-petry disabled auto-merge July 2, 2026 14:51

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the documentation in standards/github-settings.md to clarify the required checks ruleset and explain why certain checks like coverage and secret scanning are staged. The review feedback highlights several inaccuracies in the updated documentation: the description of how apply-rulesets.sh functions is technically inaccurate, there is a mismatch between the documented SonarCloud check name and what the script dynamically applies, and the template ci.yml does not actually produce a separate coverage check out of the box.

Comment thread standards/github-settings.md Outdated
Comment thread standards/github-settings.md Outdated
Comment thread standards/github-settings.md Outdated
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning
Issues addressed: 0
- No actionable issues found — Quality Gate passed
Files changed: (none required)
Skipped (informational): 0
Status: PR is ready — no fixes required
```
The PR is in good shape. The only in-progress checks are Analyze (actions) and the Copilot reviewer, which are normal CI operations. Once those complete, the PR can proceed.

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 14:51
@don-petry don-petry disabled auto-merge July 2, 2026 14:52

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the org standards documentation in standards/github-settings.md to realign the code-quality required-checks table with the intended codified ruleset, and to document why some checks (coverage/secret scan/dev-lead) are staged or intentionally excluded from the fleet-wide ruleset.

Changes:

  • Adds a “codified source of truth” pointer for code-quality required checks and reconciles the table to the intended 4 required contexts.
  • Reclassifies Secret Scan, Coverage, Dev-Lead Agent, and CI Pipeline as not currently codified fleet-wide, with rationale.
  • Adds a sequencing note explaining why new required contexts must be staged (backfill first, then enforce).

Comment thread standards/github-settings.md Outdated
Comment thread standards/github-settings.md
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 2, 2026
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-reviews (applied)

Changes committed and pushed.

@don-petry don-petry disabled auto-merge July 2, 2026 14:57
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — waiting on PR blockers (intent: review-changes)

PR: #579
No changes were committed, but the PR still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews). The retry cron will re-attempt automatically. Next attempt after: 2026-07-02T15:28:47Z

@don-petry

Copy link
Copy Markdown
Contributor Author

Note

@don-petry I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically.
Next attempt after: 2026-07-02T15:28:47Z

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 14:58

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@standards/github-settings.md`:
- Around line 265-281: Clarify the scope of the required-checks table so it
matches detect_required_checks() and apply-rulesets.sh: this section should not
claim the listed checks apply to every repo if Dev-Lead Agent and Secret Scan
are only added when their workflows exist. Update the wording in
standards/github-settings.md to explicitly say this table covers only the
unconditional fleet-wide required contexts, or restore the conditional entries
if that was the intended scope, and keep the check names aligned with
detect_required_checks().
- Around line 278-289: The coverage rollout guidance is internally inconsistent:
one paragraph says the template ci.yml does not produce the coverage check,
while the Sequencing section says the template now ships both jobs for new
repos. Update the copy around Coverage and the Sequencing note so they agree on
whether ci.yml produces coverage today, and keep the staged ruleset/backfill
guidance aligned with that final state.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3ff99f57-ef4a-4c62-9d6e-b8f9bc222905

📥 Commits

Reviewing files that changed from the base of the PR and between b136487 and 89b53a5.

📒 Files selected for processing (1)
  • standards/github-settings.md

Comment thread standards/github-settings.md Outdated
Comment thread standards/github-settings.md Outdated
@don-petry don-petry disabled auto-merge July 2, 2026 15:02
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 2, 2026
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-reviews (applied)

Changes committed and pushed.

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 15:09
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 2, 2026
@don-petry don-petry disabled auto-merge July 2, 2026 15:10
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (applied)

Changes committed and pushed.

@sonarqubecloud

sonarqubecloud Bot commented Jul 2, 2026

Copy link
Copy Markdown

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 15:13

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 5b30e259a9d27efe6d1a57db6cc7c464db21c2c8
Review mode: triage-approved (single reviewer)

Summary

Docs-only change (1 file, +33/−11) to standards/github-settings.md §code-quality: reconciles the drifted required-checks table to the codified ruleset set (SonarCloud, CodeQL, AgentShield, dependency-audit Detect job), reclassifies Secret Scan/Coverage/Dev-Lead Agent/CI Pipeline as staged or non-codified, and adds a sequencing note explaining the staged rollout. Triage assessment confirmed correct.

Linked issue analysis

References #575 (open — relocate compliance rulesets to standards/rulesets/). This PR addresses the documentation-reconciliation slice of that work; it intentionally does not close the issue. The residual apply-rulesets.sh divergence is tracked as a follow-up in .github-private#1013, per the PR body.

Findings

  • No blocking findings. Docs-only; no code, workflow, or secret-bearing changes.
  • Verified all relative links and anchors in the changed section resolve at head SHA: workflows/ci.yml, ci-standards.md, push-protection.md, and the #source-of-truth--repo-boundary anchor (which already exists on main, so the anchor holds even if this merges before #577).
  • The PR body says "merge #577 first" — that dependency only affects a link in the PR body (to standards/rulesets/code-quality.json, added by #577), not the doc content in this diff. Harmless either way; noting the author's stated ordering preference.
  • All 7 prior bot review threads (gemini, Copilot, CodeRabbit) are resolved; the CodeRabbit CHANGES_REQUESTED review was addressed by subsequent commits and dismissed. No unanswered human-reviewer questions.
  • Secret-scanning MCP tool not available in this run; the gitleaks CI check passed (SUCCESS), so no gap.

CI status

All checks green: SonarCloud, CodeQL, agent-shield / AgentShield, Detect ecosystems, Lint, ShellCheck, Secret scan (gitleaks), Agent Security Scan, npm audit, CodeRabbit. Ecosystem-gated audits (pip/cargo/pnpm/govulncheck) skipped as expected. mergeStateStatus is BLOCKED pending review approval only.


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants