docs(governance): codify repo boundary — org-wide rulesets belong in .github, not .github-private (#575)#576
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Review limit reached
Next review available in: 50 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis PR adds documentation clarifying ownership boundaries between ChangesRuleset ownership documentation
Estimated code review effort: 1 (Trivial) | ~3 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dev-Lead — waiting on PR blockers (intent: review-changes)PR: #576 |
|
Note @don-petry I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically. |
|
Warning Gemini encountered an error creating the review. You can try again by commenting |
There was a problem hiding this comment.
Pull request overview
Codifies a governance/repo-boundary rule clarifying that org-wide compliance policy (including sanctioned rulesets) is owned by petry-projects/.github, while petry-projects/.github-private is reserved for agent/skill assets (with release-channel-tags as the scoped exception).
Changes:
- Adds a new “What lives where —
.githubvs.github-private” subsection toAGENTS.mdto document the boundary rule and the known exception being remediated. - Adds a “Source of truth & repo boundary” note to
standards/github-settings.mdunder Repository Rulesets to reinforce the canonical location and ownership.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| AGENTS.md | Documents the .github vs .github-private ownership boundary for org-wide standards/policy and rulesets. |
| standards/github-settings.md | Adds a rulesets “source of truth & repo boundary” note pointing to .github ownership and the intended canonical location. |
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
|
Caution Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted. Error details |
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
Dev-Lead — fix-reviews (applied)Changes committed and pushed. |
|
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 513a6993bb0721991f19140625710cd7c40fecf7
Review mode: triage-approved (single reviewer)
Summary
Docs-only governance PR (+43/-0, 2 files) codifying the repo-boundary rule: org-wide compliance rulesets (code-quality, pr-quality) belong in .github/standards/rulesets/, while .github-private is scoped to agents/skills and their own assets (only release-channel-tags legitimately lives there). Adds a "What lives where" subsection to AGENTS.md and a "Source of truth & repo boundary" note to standards/github-settings.md, both noting the known exception being remediated under #575. Triage's low-risk assessment is confirmed.
Linked issue analysis
No closing issue (intentional — "Refs #575"). Issue #575 (open) tracks the actual relocation of the ruleset JSONs; this PR deliberately lands only the guidance now so the boundary is explicit going forward. The doc content matches the issue's scope and framing accurately.
Findings
- No issues found. Content is accurate:
scripts/apply-rulesets.shexists in this repo as referenced; the cross-link from standards/github-settings.md to AGENTS.md is valid; both sections consistently namestandards/rulesets/as the canonical home and #575 as the remediation tracker. - All 3 prior Copilot review threads (references to non-existent
bootstrap-new-repo.sh/seed-repo-template.sh) are resolved — the current text usesapply-rulesets.shand generic "repo-seeding tooling" instead. - Secret-scanning MCP tool not available in this run; gitleaks CI check passed (docs-only diff, no secret-like content).
CI status
All checks green: Lint, ShellCheck, CodeQL, SonarCloud (quality gate passed), Agent Security Scan, agent-shield, Secret scan (gitleaks), npm audit, CodeRabbit — SUCCESS. Ecosystem audits not applicable were skipped (pip/cargo/pnpm/govulncheck).
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
…sets/ (#575) (#577) * chore(rulesets): relocate code-quality + pr-quality JSON to standards/rulesets/ (#575) Move the org-wide compliance ruleset source of truth into its canonical home in petry-projects/.github. `.github` owns org-wide standards and compliance policy; `.github-private` is scoped to agents/skills and their assets (repo boundary codified in #576). - Add standards/rulesets/{code-quality,pr-quality}.json — byte-identical to the current .github-private/.github/rulesets/ copies (the 4-check code-quality set; NO coverage/secret-scan additions, which are sequenced separately to avoid bricking fleet repos that don't yet produce those checks). - Add standards/rulesets/README.md documenting source-of-truth, the scope boundary (release-channel-tags stays in .github-private), and the safe-sequencing rule for required-check additions. - github-settings.md: add a "Source of truth" pointer to standards/rulesets/. - AGENTS.md: add a Rulesets row to the Organization Standards index. The tooling repoint (apply-rulesets.sh + bootstrap-new-repo.sh) and removal of the JSONs from .github-private land in a follow-up PR against .github-private, which must merge after this one. Part of #575. Follows #576. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(pr-quality): require last push approval — align codified ruleset with org policy (#575) (#582) The codified pr-quality had require_last_push_approval=false, baked in when the file was authored (#972). That contradicts the org's actual policy: the meta-repos (.github, .github-private) and newer repos (TalkTerm, google-app-scripts) already enforce require_last_push_approval=true live, and #895 verified auto-rebase's update-branch is EXEMPT from last-push-approval (so enabling it does not fight the auto-rebase flow). Set the codified source of truth to true. Blast radius on next apply-rulesets run: tightens the three drifted repos still at false (ContentTwin, markets, broodly); no-op on the four already at true. Stacked on #577 (the relocation). Resolves the pr-quality file-vs-live drift flagged in petry-projects/.github-private#1013. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * chore: dev-lead update (review-changes) [skip ci-relay] --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Don Petry Bot <donpetry+bot@gmail.com>



What
Documents the repo-boundary rule so the recurring mistake — putting org-wide compliance policy in
.github-private— can't happen silently again.AGENTS.md(imported by every repo): new subsection "What lives where —.githubvs.github-private" under Organization Standards. States that org-wide standards/compliance policy (incl. the codifiedcode-quality/pr-qualityrulesets) are owned by.githubwith canonical homestandards/rulesets/;.github-privateis scoped to agents/skills/reusable assets and must not be the source of truth for fleet policy (onlyrelease-channel-tags— which protects its own agent-release tags — belongs there). Includes the rule-of-thumb and the known exception being remediated.standards/github-settings.md(Repository Rulesets §): "Source of truth & repo boundary" note pointing the codified ruleset JSONs at.github/standards/rulesets/with the same boundary.Why
During epic #964 (repo-template), a review surfaced that
code-quality.json/pr-quality.json— org-wide compliance policy applied to the whole fleet — live in.github-private/.github/rulesets/(added ad-hoc under compliance fix #60, before this boundary was documented). The relocation itself is tracked in #575; this PR lands the guidance now so the boundary is explicit going forward.Refs #575.
Summary by CodeRabbit