feat(branch-protection): require Docs / build check on jackin main#10
Merged
Merged
Conversation
The protect-main ruleset enforced PR-only merges and forbade fast-forward and deletion, but it did not require any status check to pass before a merge. That left the docs link-check workflow advisory only — a red Docs / build run could still be merged into main. Add a per-repo required_status_checks rule keyed off a new repo_required_status_checks variable. The map starts with jackin requiring "Docs / build" (the docs workflow's PR-running job that validates internal links, RepoFile references, and edit links against the PR checkout). Other repos in protected_repositories remain unchanged because they have no docs workflow today. Why a per-repo map instead of a single shared list: the contexts that must pass differ by repo (a Rust repo needs CI / check; the marketplace needs its own validation; homebrew-tap has none). Sharing one list would either over-require contexts that do not exist on some repos (blocking all merges there forever) or under-require them on the repos that need the gate. strict_required_status_checks_policy is left at the default false. PR authors are not forced to rebase onto the latest main before each merge; the check just needs to have passed on the head commit. Co-authored-by: Claude <noreply@anthropic.com> Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com>
|
This was referenced Apr 25, 2026
donbeave
added a commit
that referenced
this pull request
Apr 25, 2026
…ly (#11) Fix the required-status-checks context I introduced in #10. The context "Docs / build" was the workflow / job display name that appears in the GitHub PR UI, but GitHub matches against the bare check-run name, which for the Docs workflow is "build". Result: zero check-runs ever satisfied the rule, every PR's mergeStateStatus turned BLOCKED right after #10 applied (see jackin-project/jackin#180 — green build but blocked merge). Switch the map to a transitional dual-context list: - "build" — the current docs link-check job name. Restores merges immediately after this applies. - "docs-link-check" — the unique name the docs job will rename to in jackin-project/jackin (PR to follow). Listing it here ahead of the rename keeps PRs unblocked across the rename window. Once the rename PR merges in jackin, drop "build" from this list in a follow-up apply so we don't have an extra context that could be silently satisfied by a future unrelated workflow's "build" job. Verified locally: - `tofu fmt -check` clean - `tofu validate` clean - Pre-commit secret scan clean Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
The protect-main ruleset enforced PR-only merges and forbade fast-forward and deletion, but it did not require any status check to pass before a merge. That left the docs link-check workflow advisory only — a red Docs / build run could still be merged into main. Add a per-repo required_status_checks rule keyed off a new repo_required_status_checks variable. The map starts with jackin requiring "Docs / build" (the docs workflow's PR-running job that validates internal links, RepoFile references, and edit links against the PR checkout). Other repos in protected_repositories remain unchanged because they have no docs workflow today. Why a per-repo map instead of a single shared list: the contexts that must pass differ by repo (a Rust repo needs CI / check; the marketplace needs its own validation; homebrew-tap has none). Sharing one list would either over-require contexts that do not exist on some repos (blocking all merges there forever) or under-require them on the repos that need the gate. strict_required_status_checks_policy is left at the default false. PR authors are not forced to rebase onto the latest main before each merge; the check just needs to have passed on the head commit. Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
…ly (#11) Fix the required-status-checks context I introduced in #10. The context "Docs / build" was the workflow / job display name that appears in the GitHub PR UI, but GitHub matches against the bare check-run name, which for the Docs workflow is "build". Result: zero check-runs ever satisfied the rule, every PR's mergeStateStatus turned BLOCKED right after #10 applied (see jackin-project/jackin#180 — green build but blocked merge). Switch the map to a transitional dual-context list: - "build" — the current docs link-check job name. Restores merges immediately after this applies. - "docs-link-check" — the unique name the docs job will rename to in jackin-project/jackin (PR to follow). Listing it here ahead of the rename keeps PRs unblocked across the rename window. Once the rename PR merges in jackin, drop "build" from this list in a follow-up apply so we don't have an extra context that could be silently satisfied by a future unrelated workflow's "build" job. Verified locally: - `tofu fmt -check` clean - `tofu validate` clean - Pre-commit secret scan clean Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
protect-mainruleset.Docs / build(the docs workflow's PR-running job) to pass before a PR can merge intomainof thejackinrepo.Why
The existing ruleset (
branch-protection.tf) enforced PR-only merges, forbade non-fast-forward, and forbade deletion — but did not require any status check to pass. That left the docs link-check advisory: a redDocs / buildcould still be merged. The goal of jackin-project/jackin#173 is "no PR breaks any links", and that goal only becomes real when the docs check is required at the protection layer.Scope
Intentionally docs-only for this PR —
Docs / buildis the only context being required, because that's the workflow that just landed in #173 and the goal here is to make its enforcement real.CI / check(Rust clippy/fmt/nextest, runs on every PR) is the obvious next candidate and a likely follow-up; it is deliberately not in this PR so the change is one rule, one repo, one revert if needed.Design
repo_required_status_checksis amap(list(string))keyed by repository name. Repos absent from the map have no required checks (status quo). Currently onlyjackin = ["Docs / build"].CI / check;homebrew-taphas no CI to require. Forcing one shared list would either block merges on repos that don't emit the expected check or under-protect repos that need different gates.strict_required_status_checks_policyis left at defaultfalse. The check must have passed on the head commit; PR authors are not forced to rebase onto the latestmainbefore each merge.integration_idis left unpinned. For a single-org repo with no third-party check publishers installed, the spoofing risk (a different GitHub App publishing aDocs / buildcheck) is essentially zero, and pinning would couple the rule to the GitHub Actions app id and break if that ever changes.Apply plan
This repo's state is local-only per
AGENTS.md("terraform.tfstateis local-only. It stays on your machine."), sotofu applyruns on the operator's machine, not in CI.tofu planagainst your local state — expect a single change togithub_repository_ruleset.protect_main["jackin"]adding therequired_status_checksrule.tofu applyif the plan looks right.gh api repos/jackin-project/jackin/rulesets/14746904 --jq '.rules[] | select(.type=="required_status_checks")'should now return the rule with contextDocs / build.Docs / buildresolves. If it sits inExpected — Waiting for status to be reported, the context format is wrong and needs to switch to barebuild.buildcheck; rebase or push to retrigger workflows so it can merge.Test plan
tofu fmt -checkclean (verified locally)tofu validateclean (verified locally)tofu planshows only the expectedrequired_status_checksrule addition onjackinjackinwith a failingDocs / buildcannot be merged.🤖 Generated with Claude Code