[ready to merge] Update branch rulesets given problems from zipline#652
Conversation
|
😎 Merged successfully - details. |
|
Claude finished @pv72895's task in 2m 19s —— View job Claude PR Review
SummaryOverall a solid documentation addition. The new "Exempt Trunk's temporary branches from other rulesets" section addresses a real onboarding gap — particularly the org-level rulesets case and the Five inline comments left:
None of these are blocking — the page is publishable as-is. The pattern-notation point (#4) is the one I'd most recommend addressing before merge. |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
|
|
||
| ##### Exempt Trunk's temporary branches from other rulesets <a href="#exempt-trunk-temporary-branches" id="exempt-trunk-temporary-branches"></a> | ||
|
|
||
| The two rulesets above target only your protected branch, so they don't match `trunk-temp/**/*` or `trunk-merge/**/*`. But any **other** Branch ruleset — at the **organization** level or elsewhere on this repository — whose targeting is broader (e.g. **All branches**, or a wildcard include like `**/*`) will match Trunk's temporary branches and block the queue. |
There was a problem hiding this comment.
Style consistency: This page uses e.g., with a comma everywhere else (lines 96, 97, 113, 114, 183, 232). The two new uses on lines 126 and 129 omit the comma. Worth normalizing for consistency.
| The two rulesets above target only your protected branch, so they don't match `trunk-temp/**/*` or `trunk-merge/**/*`. But any **other** Branch ruleset — at the **organization** level or elsewhere on this repository — whose targeting is broader (e.g. **All branches**, or a wildcard include like `**/*`) will match Trunk's temporary branches and block the queue. | |
| The two rulesets above target only your protected branch, so they don't match `trunk-temp/**/*` or `trunk-merge/**/*`. But any **other** Branch ruleset — at the **organization** level or elsewhere on this repository — whose targeting is broader (e.g., **All branches**, or a wildcard include like `**/*`) will match Trunk's temporary branches and block the queue. |
| The two rulesets above target only your protected branch, so they don't match `trunk-temp/**/*` or `trunk-merge/**/*`. But any **other** Branch ruleset — at the **organization** level or elsewhere on this repository — whose targeting is broader (e.g. **All branches**, or a wildcard include like `**/*`) will match Trunk's temporary branches and block the queue. | ||
|
|
||
| {% hint style="danger" %} | ||
| **Symptom:** A PR enters the queue and then fails out shortly after testing starts with a GitHub permission error (e.g. "Permission denied on trunk-merge/\* branch"). You'll see this on the **Trunk Merge Queue** status check on the PR, in Trunk's status comment on the PR, and on the PR's detail page in the [Trunk dashboard](https://app.trunk.io/). This almost always means a Branch ruleset is preventing Trunk from creating, pushing to, or deleting `trunk-temp/**/*` or `trunk-merge/**/*`. |
There was a problem hiding this comment.
Style consistency (same as line 126): missing comma after e.g.. Also worth considering using GitBook's italics or backticks for the error string instead of straight double-quotes, to match the way error strings appear elsewhere (e.g., line 217 uses italics-free plain text but in a different sentence structure).
| **Symptom:** A PR enters the queue and then fails out shortly after testing starts with a GitHub permission error (e.g. "Permission denied on trunk-merge/\* branch"). You'll see this on the **Trunk Merge Queue** status check on the PR, in Trunk's status comment on the PR, and on the PR's detail page in the [Trunk dashboard](https://app.trunk.io/). This almost always means a Branch ruleset is preventing Trunk from creating, pushing to, or deleting `trunk-temp/**/*` or `trunk-merge/**/*`. | |
| **Symptom:** A PR enters the queue and then fails out shortly after testing starts with a GitHub permission error (e.g., "Permission denied on trunk-merge/\* branch"). You'll see this on the **Trunk Merge Queue** status check on the PR, in Trunk's status comment on the PR, and on the PR's detail page in the [Trunk dashboard](https://app.trunk.io/). This almost always means a Branch ruleset is preventing Trunk from creating, pushing to, or deleting `trunk-temp/**/*` or `trunk-merge/**/*`. |
| **Symptom:** A PR enters the queue and then fails out shortly after testing starts with a GitHub permission error (e.g. "Permission denied on trunk-merge/\* branch"). You'll see this on the **Trunk Merge Queue** status check on the PR, in Trunk's status comment on the PR, and on the PR's detail page in the [Trunk dashboard](https://app.trunk.io/). This almost always means a Branch ruleset is preventing Trunk from creating, pushing to, or deleting `trunk-temp/**/*` or `trunk-merge/**/*`. | ||
| {% endhint %} | ||
|
|
||
| **Branch rulesets vs. Push rulesets.** Only **Branch** rulesets need this exemption — this is a GitHub ruleset type and is unrelated to the [Push-Triggered testing mode](#push-triggered-mode-advanced) above. Push rulesets gate the *content* of pushes (file size limits, secret scanning, restricted file paths, etc.) rather than the branch operations the queue performs, so they can target Trunk's temporary branches without breaking the queue. To tell them apart, open a ruleset's edit page: Branch rulesets have a **Branch targeting criteria** section, while Push rulesets have **Push rules** and target repositories rather than branches. Audit only the Branch rulesets. |
There was a problem hiding this comment.
Minor clarity nit: in "this is a GitHub ruleset type and is unrelated to the [Push-Triggered testing mode]", the antecedent of this is slightly ambiguous — does it refer to "Branch rulesets", "Push rulesets", or "the distinction"? Consider:
| **Branch rulesets vs. Push rulesets.** Only **Branch** rulesets need this exemption — this is a GitHub ruleset type and is unrelated to the [Push-Triggered testing mode](#push-triggered-mode-advanced) above. Push rulesets gate the *content* of pushes (file size limits, secret scanning, restricted file paths, etc.) rather than the branch operations the queue performs, so they can target Trunk's temporary branches without breaking the queue. To tell them apart, open a ruleset's edit page: Branch rulesets have a **Branch targeting criteria** section, while Push rulesets have **Push rules** and target repositories rather than branches. Audit only the Branch rulesets. | |
| **Branch rulesets vs. Push rulesets.** Only **Branch** rulesets need this exemption. Branch vs. Push is a GitHub ruleset type and is unrelated to the [Push-Triggered testing mode](#push-triggered-mode-advanced) above. Push rulesets gate the *content* of pushes (file size limits, secret scanning, restricted file paths, etc.) rather than the branch operations the queue performs, so they can target Trunk's temporary branches without breaking the queue. To tell them apart, open a ruleset's edit page: Branch rulesets have a **Branch targeting criteria** section, while Push rulesets have **Push rules** and target repositories rather than branches. Audit only the Branch rulesets. |
Not a blocker — the original is understandable, just a touch less explicit.
| * [ ] Ruleset #1 targets only your protected branch and has the Trunk GitHub App on the bypass list as **Exempt**. | ||
| * [ ] Ruleset #2 targets only your protected branch and does **not** bypass Trunk. | ||
| * [ ] Every other Branch ruleset visible at the organization level and on this repository either does not match `trunk-temp/**/*`/`trunk-merge/**/*`, or explicitly excludes both patterns. | ||
| * [ ] (If using [Trunk Sudo](../../setup-and-administration/trunk-sudo-app.md)) Trunk Sudo is on Ruleset #1's bypass list as **Exempt**, and on Ruleset #2's bypass list as **Exempt** if you use Force merge or stacked PRs. |
There was a problem hiding this comment.
This bullet packs two distinct conditional statements about Trunk Sudo into one sentence, and the second condition (Force merge / stacked PRs) only modifies the second half. It reads as a small parsing hurdle. Consider splitting:
| * [ ] (If using [Trunk Sudo](../../setup-and-administration/trunk-sudo-app.md)) Trunk Sudo is on Ruleset #1's bypass list as **Exempt**, and on Ruleset #2's bypass list as **Exempt** if you use Force merge or stacked PRs. | |
| * [ ] (If using [Trunk Sudo](../../setup-and-administration/trunk-sudo-app.md)) Trunk Sudo is on Ruleset #1's bypass list as **Exempt**. | |
| * [ ] (If using [Trunk Sudo](../../setup-and-administration/trunk-sudo-app.md) **and** Force merge or stacked PRs) Trunk Sudo is also on Ruleset #2's bypass list as **Exempt**. |
| **What happens if these branches are protected:** Merge Queue encounters GitHub permission errors and displays messages like "Permission denied on trunk-merge/\* branch." | ||
|
|
||
| {% hint style="warning" %} | ||
| **Also check rulesets, even if you only use Classic protection.** Organization-level Branch rulesets and other repository-level Branch rulesets apply on top of Classic rules and can match `trunk-temp/**/*`/`trunk-merge/**/*` independently. See [Exempt Trunk's temporary branches from other rulesets](#exempt-trunk-temporary-branches) for how to audit and fix them. |
There was a problem hiding this comment.
Pattern notation inconsistency within the Classic section. This new hint (and the new verification checklist on line 232) uses trunk-temp/**/* and trunk-merge/**/*, but the surrounding Classic section still describes the branches as trunk-temp/* and trunk-merge/* (lines 199–200, 210, 217).
Readers cross-referencing this hint with the description at lines 199–200 will see two different patterns and may wonder which is correct. Since the new docs explicitly call out (in the line 148–150 hint) that the trailing /* is required for GitHub's matcher, the older trunk-temp/* references feel out of step.
Two options:
- Update the Classic section's existing pattern references to
trunk-temp/**/*/trunk-merge/**/*for consistency. - Or explicitly note that
trunk-temp/*is conceptual shorthand for the branch namespace andtrunk-temp/**/*is the GitHub ruleset matcher.
Option 1 is probably simpler. Not a blocker, but worth resolving to avoid reader confusion.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
- Normalize `e.g.,` punctuation in new section to match rest of page - Disambiguate "this" antecedent in Branch-vs-Push paragraph - Split the Trunk Sudo verification bullet so the Force-merge/stacked-PR condition only modifies the Ruleset #2 check - Standardize `trunk-temp/**/*` / `trunk-merge/**/*` notation throughout the page, including the Classic section, so readers don't see the same branches described two different ways near the new hint that calls out the trailing `/*` as required for GitHub's ruleset matcher Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Claude finished @pv72895's task in 1m 10s —— View job Claude PR Review
SummaryAll five comments from the prior review pass have been addressed in commit
Also noted as nice incidental polish: line 58 changed Remaining observationsNone of these are blocking — the PR is ready to merge.
VerdictReady to merge. The page is materially clearer than before — the new "Exempt Trunk's temporary branches from other rulesets" section, the Branch-vs-Push disambiguation, and the two verification checklists meaningfully close the onboarding gap. |
|
Verification status (2026-05-13): Verified: customers can use this. Ready to publish.
Ready to merge once review threads are resolved. |
samgutentag
changed the title
2 participants
Essentially update the docs to help address the onboarding problems skyline was seeing with rulesets - context thread - https://trunk-io.slack.com/archives/C09L0GB2771/p1778679381269979