feat: add code-quality ruleset (compliance fix)#86
Conversation
Creates the required `code-quality` repository ruleset enforcing required status checks on the default branch, as mandated by the org standard: standards/github-settings.md#code-quality--required-checks-ruleset-all-repositories Required checks: - SonarCloud (code quality analysis) - CodeQL (SAST) - agent-shield / AgentShield (agent security scan) - dependency-audit / Detect ecosystems (dependency vulnerability scan) Bypass actors: - OrganizationAdmin (always) — emergency override - dependabot-automerge-petry Integration (always) — Dependabot auto-merge The ruleset was applied directly via GitHub API. This file documents the configuration as code for auditability and future reapplication. Closes #60 Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@petry-projects/org-leads — this PR adds the missing |
There was a problem hiding this comment.
Pull request overview
Adds an auditable, version-controlled representation of the repository’s required “code-quality” ruleset so the compliance-mandated status-check requirements for main are captured in-repo.
Changes:
- Added
.github/rulesets/code-quality.jsondefining an activecode-qualityruleset targeting the default branch. - Configured required status checks:
SonarCloud,CodeQL,agent-shield / AgentShield, anddependency-audit / Detect ecosystems. - Added bypass actors for
OrganizationAdminand the Dependabot auto-merge integration (id3167543).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: d85bc693479d2dd5ee6b6e7b80a378e6251aabc5
Review mode: triage-approved (single reviewer)
Summary
This PR adds a single new file, .github/rulesets/code-quality.json (37 additions, 0 deletions), capturing the already-active code-quality repository ruleset as configuration-as-code. The ruleset enforces required status checks on the default branch and defines two bypass actors. Triage classified this as low-risk and a brief confirmation review concurs.
Linked issue analysis
Closes #60 — Compliance: missing-code-quality (severity: error, category: rulesets). The issue requires the repository to have a code-quality ruleset enforcing required status checks per standards/github-settings.md#code-quality--required-checks-ruleset-all-repositories. The committed JSON satisfies the standard:
enforcement: activetarget: branchwithref_name.include: ["~DEFAULT_BRANCH"]- All four required checks present:
SonarCloud,CodeQL,agent-shield / AgentShield,dependency-audit / Detect ecosystems strict_required_status_checks_policy: true(branches must be up to date)- Bypass actors limited to
OrganizationAdmin(emergency) and the Dependabot auto-merge integration (id 3167543) — both documented and reasonable
Findings
None. The change is a pure additive JSON config snapshot for auditability; it ships no code, no workflow changes, and does not weaken any existing control. The bypass set is conservative and matches stated intent. Structure conforms to the GitHub Rulesets API shape (name, target, enforcement, bypass_actors, conditions, rules).
CI status
- CodeQL: SUCCESS
- Analyze (actions): SUCCESS
- CodeRabbit: SUCCESS
- SonarCloud quality gate: PASSED (0 new issues, 0 hotspots, per posted comment)
The Copilot review is a COMMENTED overview, not a change request. Merge is BLOCKED only because branch protection requires an approving review, which this approval satisfies.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
|



Summary
code-qualityrepository ruleset enforcing required status checks onmain.github/rulesets/code-quality.jsonfor auditabilityRequired checks configured
SonarCloudCodeQLagent-shield / AgentShielddependency-audit / Detect ecosystemsBypass actors
OrganizationAdmindependabot-automerge-petry(Integration, id: 3167543)Standard reference
standards/github-settings.md#code-quality--required-checks-ruleset-all-repositories
Closes #60
Generated with Claude Code