Skip to content

docs(governance): codify repo boundary — org-wide rulesets belong in .github, not .github-private (#575)#576

Merged
don-petry merged 3 commits into
mainfrom
docs/repo-boundary-governance-rulesets-575
Jul 2, 2026
Merged

docs(governance): codify repo boundary — org-wide rulesets belong in .github, not .github-private (#575)#576
don-petry merged 3 commits into
mainfrom
docs/repo-boundary-governance-rulesets-575

Conversation

@don-petry

@don-petry don-petry commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

What

Documents the repo-boundary rule so the recurring mistake — putting org-wide compliance policy in .github-private — can't happen silently again.

  • AGENTS.md (imported by every repo): new subsection "What lives where — .github vs .github-private" under Organization Standards. States that org-wide standards/compliance policy (incl. the codified code-quality / pr-quality rulesets) are owned by .github with canonical home standards/rulesets/; .github-private is scoped to agents/skills/reusable assets and must not be the source of truth for fleet policy (only release-channel-tags — which protects its own agent-release tags — belongs there). Includes the rule-of-thumb and the known exception being remediated.
  • standards/github-settings.md (Repository Rulesets §): "Source of truth & repo boundary" note pointing the codified ruleset JSONs at .github/standards/rulesets/ with the same boundary.

Why

During epic #964 (repo-template), a review surfaced that code-quality.json / pr-quality.json — org-wide compliance policy applied to the whole fleet — live in .github-private/.github/rulesets/ (added ad-hoc under compliance fix #60, before this boundary was documented). The relocation itself is tracked in #575; this PR lands the guidance now so the boundary is explicit going forward.

Refs #575.

Summary by CodeRabbit

  • Documentation
    • Clarified where shared repository standards and rulesets should live versus where reusable agent assets belong.
    • Added guidance on the canonical location for approved ruleset files, including a noted temporary exception during an ongoing move.
    • Improved wording around repository boundaries and ownership to make setup and maintenance expectations clearer.

Copilot AI review requested due to automatic review settings July 2, 2026 13:53
@don-petry don-petry requested a review from a team as a code owner July 2, 2026 13:53
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@don-petry, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 50 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d38501ae-196d-4dd2-9aa6-e0e07c364b67

📥 Commits

Reviewing files that changed from the base of the PR and between 023b4f0 and 513a699.

📒 Files selected for processing (2)
  • AGENTS.md
  • standards/github-settings.md
📝 Walkthrough

Walkthrough

This PR adds documentation clarifying ownership boundaries between .github and .github-private repos for standards/rulesets versus agent/skills assets, in both AGENTS.md and standards/github-settings.md, including a note on temporary relocation of two ruleset JSON files.

Changes

Ruleset ownership documentation

Layer / File(s) Summary
Ownership boundary and relocation notes
AGENTS.md, standards/github-settings.md
Adds sections defining canonical ownership of rulesets/standards by petry-projects/.github, scoping agent/skills assets to .github-private, documenting a do-not-author boundary and an exception for release-channel-tags, and noting the pending relocation of code-quality.json/pr-quality.json.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Possibly related issues

Possibly related PRs

  • petry-projects/.github#1: Both PRs modify AGENTS.md, with this PR clarifying the ownership boundary introduced in the original AGENTS.md.
  • petry-projects/.github#10: Amends standards/github-settings.md to clarify ownership/relocation of the same code-quality.json/pr-quality.json rulesets introduced there.
  • petry-projects/.github#7: AGENTS.md changes overlap with source-of-truth documentation for the pr-quality ruleset.
🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning The PR only updates documentation and does not implement the GH_TOKEN preflight check or workflow env change required by #60. Add the auth preflight in scripts/compliance-audit.sh and pass GH_TOKEN in the compliance-audit workflow step.
Out of Scope Changes check ⚠️ Warning The changes are unrelated to #60, which calls for compliance-audit auth fixes; this PR only adds docs about ruleset ownership. Move the docs boundary update to a separate PR and implement the compliance-audit.sh and workflow changes for #60.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the docs change about repository boundary rulesets and .github vs .github-private.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/repo-boundary-governance-rulesets-575

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — waiting on PR blockers (intent: review-changes)

PR: #576
No changes were committed, but the PR still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews). The retry cron will re-attempt automatically. Next attempt after: 2026-07-02T14:24:25Z

@don-petry

Copy link
Copy Markdown
Contributor Author

Note

@don-petry I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically.
Next attempt after: 2026-07-02T14:24:25Z

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 13:54
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Warning

Gemini encountered an error creating the review. You can try again by commenting /gemini review.

@don-petry don-petry disabled auto-merge July 2, 2026 13:55

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Codifies a governance/repo-boundary rule clarifying that org-wide compliance policy (including sanctioned rulesets) is owned by petry-projects/.github, while petry-projects/.github-private is reserved for agent/skill assets (with release-channel-tags as the scoped exception).

Changes:

  • Adds a new “What lives where — .github vs .github-private” subsection to AGENTS.md to document the boundary rule and the known exception being remediated.
  • Adds a “Source of truth & repo boundary” note to standards/github-settings.md under Repository Rulesets to reinforce the canonical location and ownership.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
AGENTS.md Documents the .github vs .github-private ownership boundary for org-wide standards/policy and rulesets.
standards/github-settings.md Adds a rulesets “source of truth & repo boundary” note pointing to .github ownership and the intended canonical location.

Comment thread AGENTS.md Outdated
Comment thread AGENTS.md
Comment thread standards/github-settings.md
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning
- Clear explanation of what lives where (standards vs. agent assets)
- Proper cross-references and rationale
- No code, configuration, or security issues
**CI Status:**
- Completed checks: ✅ all passing (Lint, ShellCheck, SonarCloud, Agent Security Scan, etc.)
- In-progress checks: Analyze (actions), CodeQL, copilot-pull-request-reviewer, CodeRabbit
- Other notes: chatgpt-codex-connector hit usage limits (rate-limited); don-petry's internal automation is also rate-limited
**Conclusion:**
No actionable issues found. The bot error is an external infrastructure issue (Gemini failed to initialize review), not a code defect. The PR changes are clean and the related CI checks are passing. The rate-limiting comments from other bots are informational and don't block the PR.
**Status:** ✅ No fixes required. PR is ready.

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 13:56
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
{}

@don-petry don-petry disabled auto-merge July 2, 2026 13:57
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning
Issues addressed: 0
Files changed: 0
Tier 1 blockers: None — PR is ready
```
The pull request documents the governance boundary between `.github` (org-wide standards/rulesets) and `.github-private` (agent/skill assets), and all automated checks confirm the changes are sound.

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 13:57
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 2, 2026
@don-petry don-petry disabled auto-merge July 2, 2026 14:00
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-reviews (applied)

Changes committed and pushed.

@sonarqubecloud

sonarqubecloud Bot commented Jul 2, 2026

Copy link
Copy Markdown

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 14:04

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 513a6993bb0721991f19140625710cd7c40fecf7
Review mode: triage-approved (single reviewer)

Summary

Docs-only governance PR (+43/-0, 2 files) codifying the repo-boundary rule: org-wide compliance rulesets (code-quality, pr-quality) belong in .github/standards/rulesets/, while .github-private is scoped to agents/skills and their own assets (only release-channel-tags legitimately lives there). Adds a "What lives where" subsection to AGENTS.md and a "Source of truth & repo boundary" note to standards/github-settings.md, both noting the known exception being remediated under #575. Triage's low-risk assessment is confirmed.

Linked issue analysis

No closing issue (intentional — "Refs #575"). Issue #575 (open) tracks the actual relocation of the ruleset JSONs; this PR deliberately lands only the guidance now so the boundary is explicit going forward. The doc content matches the issue's scope and framing accurately.

Findings

  • No issues found. Content is accurate: scripts/apply-rulesets.sh exists in this repo as referenced; the cross-link from standards/github-settings.md to AGENTS.md is valid; both sections consistently name standards/rulesets/ as the canonical home and #575 as the remediation tracker.
  • All 3 prior Copilot review threads (references to non-existent bootstrap-new-repo.sh / seed-repo-template.sh) are resolved — the current text uses apply-rulesets.sh and generic "repo-seeding tooling" instead.
  • Secret-scanning MCP tool not available in this run; gitleaks CI check passed (docs-only diff, no secret-like content).

CI status

All checks green: Lint, ShellCheck, CodeQL, SonarCloud (quality gate passed), Agent Security Scan, agent-shield, Secret scan (gitleaks), npm audit, CodeRabbit — SUCCESS. Ecosystem audits not applicable were skipped (pip/cargo/pnpm/govulncheck).


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

@don-petry don-petry merged commit b136487 into main Jul 2, 2026
22 checks passed
@don-petry don-petry deleted the docs/repo-boundary-governance-rulesets-575 branch July 2, 2026 14:07
don-petry added a commit that referenced this pull request Jul 2, 2026
…sets/ (#575) (#577)

* chore(rulesets): relocate code-quality + pr-quality JSON to standards/rulesets/ (#575)

Move the org-wide compliance ruleset source of truth into its canonical home in
petry-projects/.github. `.github` owns org-wide standards and compliance policy;
`.github-private` is scoped to agents/skills and their assets (repo boundary
codified in #576).

- Add standards/rulesets/{code-quality,pr-quality}.json — byte-identical to the
  current .github-private/.github/rulesets/ copies (the 4-check code-quality set;
  NO coverage/secret-scan additions, which are sequenced separately to avoid
  bricking fleet repos that don't yet produce those checks).
- Add standards/rulesets/README.md documenting source-of-truth, the scope
  boundary (release-channel-tags stays in .github-private), and the safe-sequencing
  rule for required-check additions.
- github-settings.md: add a "Source of truth" pointer to standards/rulesets/.
- AGENTS.md: add a Rulesets row to the Organization Standards index.

The tooling repoint (apply-rulesets.sh + bootstrap-new-repo.sh) and removal of the
JSONs from .github-private land in a follow-up PR against .github-private, which
must merge after this one.

Part of #575. Follows #576.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(pr-quality): require last push approval — align codified ruleset with org policy (#575) (#582)

The codified pr-quality had require_last_push_approval=false, baked in when the file
was authored (#972). That contradicts the org's actual policy: the meta-repos
(.github, .github-private) and newer repos (TalkTerm, google-app-scripts) already
enforce require_last_push_approval=true live, and #895 verified auto-rebase's
update-branch is EXEMPT from last-push-approval (so enabling it does not fight the
auto-rebase flow). Set the codified source of truth to true.

Blast radius on next apply-rulesets run: tightens the three drifted repos still at
false (ContentTwin, markets, broodly); no-op on the four already at true.

Stacked on #577 (the relocation). Resolves the pr-quality file-vs-live drift flagged
in petry-projects/.github-private#1013.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* chore: dev-lead update (review-changes) [skip ci-relay]

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Don Petry Bot <donpetry+bot@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants