config: require Format/Clippy/Test as org-wide branch-protection floor#57
Merged
Conversation
Why: every active pulseengine Rust repo runs Format, Clippy, and Test
under those exact job names. The previous empty `contexts: []` meant
temper applied branch protection but didn't require any specific
status checks — so brand-new repos and repos that hadn't been
touched at the API level had unprotected merges.
What: add the three universal Rust check names to
`branch_protection.default.required_status_checks.contexts`. Repos
with richer smithy patterns (spar, gale, sigil — Cargo Deny,
Mutation Testing, etc.) keep their extras at the repo level via
direct API; this list is the additive minimum, not an exclusive set.
Test plan:
- YAML parses cleanly (python yaml.safe_load).
- npm test → 834 pass (unchanged; integration tests use inline
config fixtures, not config.yml).
- After merge: temper's scheduled sweep re-applies branch protection
across all 27 pulseengine repos within the next sweep window.
Out of scope: org-level Actions fork-PR-approval policy and
allowed-actions allowlist (UI-only today; tracked as a follow-up
feature request "feat: manage org-level Actions fork-PR-approval
policy and allowed-actions allowlist via config.yml").
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds the safety warning from a parallel duplicate PR (#58, closing in favour of this one). The risk is concrete: any context added to this list that not every repo's CI defines will leave those repos stuck unable to merge. Keep the list universal-only. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 tasks
Audit during smithy migration rollout (2026-05-10) found that several pulseengine repos don't define Format/Clippy/Test under those exact names: rules_lean (only verify-rules + build), pulseengine.eu (web build), .github (community files), rules_rocq_rust (mostly Bazel), wasm-component-examples, moonbit_checksum_updater, and a couple of MCP-server templates. Setting Format/Clippy/Test as required contexts org-wide via Temper would leave all those repos permanently unable to merge PRs (the required check would never appear because the workflow doesn't define it). Reverting contexts back to [] keeps the org-wide protection benefits — strict, signed-commits, no force push, no deletion, enforce_admins — without the small-repo trap. Per-repo can add specific required checks via direct API; smithy already does this on spar's main branch (13-context full smithy migration set). If we want a real org floor later, the right vehicle is shipping a starter workflow via pulseengine/.github that emits the expected check names everywhere.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why: every active pulseengine Rust repo runs Format, Clippy, and Test
under those exact job names. The previous empty
contexts: []meanttemper applied branch protection but didn't require any specific
status checks — so brand-new repos and repos that hadn't been
touched at the API level had unprotected merges.
What: add the three universal Rust check names to
branch_protection.default.required_status_checks.contexts. Reposwith richer smithy patterns (spar, gale, sigil — Cargo Deny,
Mutation Testing, etc.) keep their extras at the repo level via
direct API; this list is the additive minimum, not an exclusive set.
Test plan:
config fixtures, not config.yml).
across all 27 pulseengine repos within the next sweep window.
Out of scope: org-level Actions fork-PR-approval policy and
allowed-actions allowlist (UI-only today; tracked as a follow-up
feature request "feat: manage org-level Actions fork-PR-approval
policy and allowed-actions allowlist via config.yml").
Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com