feat(jackin): require all path-aware aggregator checks; require 1 reviewer; strict up-to-date branch policy#14
Merged
Conversation
…iewer; strict up-to-date branch policy Raise the merge gate for the jackin repo so a green PR carries the same guarantees the path-aware refactor in jackin-project/jackin#256 intended. variables.tf — replace the single required check (`docs-link-check`) with the four aggregator-style checks plus the renovate-config upstream verification: - `ci-required` rolls up CI / changes, check, msrv, build-validator. - `construct-required` rolls up Construct Image's classifier, build matrix, and publish-manifest. - `docs-required` rolls up Docs' classifier, repo-link-check, docs-link-check, deploy. - `docs-link-check` is kept directly because the docs deploy is push-only, so on a `pull_request` event `docs-link-check` is the actual proof the docs build succeeds against the PR diff. - `validate` is the only job in the new `renovate-validate.yml` workflow; it asserts the deb registry URL behind the MISE customManager still resolves and still lists the `mise` package. - `DCO` (cncf/dco2 GitHub App) stays required as the contribution gate. Adding aggregators rather than the underlying jobs is deliberate — the next time someone adds or removes a gated job inside an existing workflow, branch protection does not need a terraform change. branch-protection.tf — two related changes: - `required_approving_review_count` from 0 to 1. Today an agent could open and merge without any human eyeball; raising to 1 ensures every PR goes through review. Combined with squash-merge, the merge commit still lands as a single change. - `strict_required_status_checks_policy` from false to true. The PR branch must be up-to-date with main before the merge is allowed, so a green CI run reflects exactly the code that lands on main rather than the code as it looked when the PR was opened. This closes the "two individually-green PRs become red when combined" failure mode. The combined effect is forward-looking hardening against the class of break that surfaced in jackin-project/jackin#266 (post-merge red `main`). On its own it would not have prevented that specific issue (publish-manifest is push-only and never ran on the PR), but it materially raises the floor: every PR now provably ran every aggregator check against the actual merge state, with a human reviewer signing off, before the squash button becomes clickable. Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
|
donbeave
added a commit
to jackin-project/jackin
that referenced
this pull request
May 9, 2026
… rules (#267) Codify two CI-merge-safety rules in `PULL_REQUESTS.md` plus a one-line cross-reference in `AGENTS.md`. The recent #256 → #266 incident exposed a class of break invisible to PR-time CI: a workflow-level env var (`BUILDX_BUILDER`) leaked into the `publish-manifest` job, where docker buildx read it as the default-builder selection and failed at runtime — but only on push to main, because that job is push-only and never runs on a `pull_request` event. Three rules now live in `PULL_REQUESTS.md`. First, third-party-CLI env vars (`BUILDX_BUILDER`, `DOCKER_BUILDKIT`, `GH_TOKEN`/`GITHUB_TOKEN`, `KUBECONFIG`, `AWS_PROFILE`, `RUSTUP_TOOLCHAIN`, `npm_config_*`) must be scoped to the consuming job; workflow-level `env:` is reserved for in-house naming/paths. Second, registry / production publishing must hard-gate on main — the `is_publish` flag pattern from `construct.yml` is the canonical shape, and PRs / feature-branch dispatches must build-and-verify only, never publish. Third, push-only / main-only / `workflow_run`-gated jobs (`build-validator`, `publish-manifest`, `deploy`, `publish-preview`) must be smoke-tested via `gh workflow run --ref <feature-branch>` before requesting merge, since PR-time CI structurally cannot exercise them. A companion terraform PR (jackin-project/jackin-github-terraform#14) raises the matching protection-rule changes — required-status-check list, single approving review, strict up-to-date branch policy. Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
that referenced
this pull request
May 9, 2026
…ntainer repo The previous PR (#14) raised `required_approving_review_count` from 0 to 1 as part of the post-#266 hardening, on the assumption that a human reviewer would be available before each merge. The repo is operated by a single maintainer, and GitHub does not let the PR author approve their own pull request, so the rule blocks every merge instead of gating it. Revert to `required_approving_review_count = 0`. The remaining hardening from #14 stays in place: `strict_required_status_checks_policy = true` ensures the green CI run reflects the exact code that lands on main, and the expanded required-status-check list (`ci-required`, `construct-required`, `docs-required`, `docs-link-check`, `validate`, `DCO`) gives every gated workflow a hard gate at the GitHub layer. Add a code comment naming the constraint so a future change does not silently re-flip the knob without checking whether the project has gained additional reviewers in the meantime. Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
that referenced
this pull request
May 9, 2026
…ntainer repo (#15) Revert `required_approving_review_count` from 1 back to 0 on the `jackin` repo's `protect_main` ruleset. The previous change in #14 raised it under the assumption a human reviewer would always be available, but the repo is operated by a single maintainer and GitHub does not let a PR author approve their own pull request — the rule blocks every merge instead of gating it. The other improvements from #14 stay in place: `strict_required_status_checks_policy = true` ensures every PR runs CI against the actual merge state, and the expanded required-status-check list still gives every gated workflow a hard gate at the GitHub layer. A code comment names the solo-maintainer constraint so a future change does not silently re-flip the knob. Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
to jackin-project/jackin
that referenced
this pull request
May 9, 2026
Capture an invariant that has been silently shaping recent decisions but was nowhere written down: jackin has exactly one human contributor, and GitHub does not let a PR author approve their own pull request. The previous CI hardening round (jackin-project/jackin-github-terraform#14) raised `required_approving_review_count` to 1 on the assumption a second reviewer was available — they are not — and the resulting trap blocked every merge until it was reverted in jackin-project/jackin-github-terraform#15. Add a 'Project staffing: solo maintainer' section at the top of `AGENTS.md` naming the constraint and the four downstream consequences: branch protection cannot require an approving review; "get a second pair of eyes" is not an available pre-merge step (pre-merge confidence comes from CI, the path-aware aggregator status checks, the strict up-to-date branch policy, and the agent following PULL_REQUESTS.md); multi-agent review is the load-bearing substitute for the missing second human, not optional polish; and for irreversible or high-blast-radius changes the agent should prefer asking the operator to confirm one more time over assuming green CI is sufficient. The rule retires when the project gains additional human reviewers. Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
to jackin-project/jackin
that referenced
this pull request
May 18, 2026
… rules (#267) Codify two CI-merge-safety rules in `PULL_REQUESTS.md` plus a one-line cross-reference in `AGENTS.md`. The recent #256 → #266 incident exposed a class of break invisible to PR-time CI: a workflow-level env var (`BUILDX_BUILDER`) leaked into the `publish-manifest` job, where docker buildx read it as the default-builder selection and failed at runtime — but only on push to main, because that job is push-only and never runs on a `pull_request` event. Three rules now live in `PULL_REQUESTS.md`. First, third-party-CLI env vars (`BUILDX_BUILDER`, `DOCKER_BUILDKIT`, `GH_TOKEN`/`GITHUB_TOKEN`, `KUBECONFIG`, `AWS_PROFILE`, `RUSTUP_TOOLCHAIN`, `npm_config_*`) must be scoped to the consuming job; workflow-level `env:` is reserved for in-house naming/paths. Second, registry / production publishing must hard-gate on main — the `is_publish` flag pattern from `construct.yml` is the canonical shape, and PRs / feature-branch dispatches must build-and-verify only, never publish. Third, push-only / main-only / `workflow_run`-gated jobs (`build-validator`, `publish-manifest`, `deploy`, `publish-preview`) must be smoke-tested via `gh workflow run --ref <feature-branch>` before requesting merge, since PR-time CI structurally cannot exercise them. A companion terraform PR (jackin-project/jackin-github-terraform#14) raises the matching protection-rule changes — required-status-check list, single approving review, strict up-to-date branch policy. Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
to jackin-project/jackin
that referenced
this pull request
May 18, 2026
Capture an invariant that has been silently shaping recent decisions but was nowhere written down: jackin has exactly one human contributor, and GitHub does not let a PR author approve their own pull request. The previous CI hardening round (jackin-project/jackin-github-terraform#14) raised `required_approving_review_count` to 1 on the assumption a second reviewer was available — they are not — and the resulting trap blocked every merge until it was reverted in jackin-project/jackin-github-terraform#15. Add a 'Project staffing: solo maintainer' section at the top of `AGENTS.md` naming the constraint and the four downstream consequences: branch protection cannot require an approving review; "get a second pair of eyes" is not an available pre-merge step (pre-merge confidence comes from CI, the path-aware aggregator status checks, the strict up-to-date branch policy, and the agent following PULL_REQUESTS.md); multi-agent review is the load-bearing substitute for the missing second human, not optional polish; and for irreversible or high-blast-radius changes the agent should prefer asking the operator to confirm one more time over assuming green CI is sufficient. The rule retires when the project gains additional human reviewers. Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Raise the merge gate for the
jackinrepo to match what the path-aware-workflow refactor in jackin-project/jackin#256 introduced. Three changes: list the new aggregator status checks as required, require one approving review, and turn on the strict up-to-date branch policy so a green CI run reflects the exact code that lands on main.variables.tf— replace the singledocs-link-checkentry with a list of the four aggregator-style checks plus the renovate-config upstream verifier:ci-requiredrolls up CI'schanges,check,msrv,build-validator.construct-requiredrolls up Construct Image's classifier, build matrix, andpublish-manifest.docs-requiredrolls up Docs' classifier,repo-link-check,docs-link-check,deploy.docs-link-checkis kept directly so the docs build is provably green against the PR diff (the docsdeployjob is push-only and never runs onpull_request).validateis the only job in the newrenovate-validate.ymlworkflow — it asserts that the deb registry URL behind theMISE_VERSIONcustomManager still resolves and still lists themisepackage.DCO(the cncf/dco2 app) stays required as the contribution gate.Listing aggregators rather than the underlying jobs is deliberate — adding or removing a gated job inside any of those workflows in the future does not require a terraform change.
branch-protection.tf— bumprequired_approving_review_countfrom 0 to 1, and flipstrict_required_status_checks_policyfrom false to true. The first ensures every PR has a human eyeball; the second forces the PR branch to be up-to-date with main before merge so the green CI run reflects exactly the code that lands.Why now
The post-merge break in jackin-project/jackin#266 (
ERROR: no builder "jackin-construct" foundonmainimmediately after #256 merged) was caused by a workflow-level env-var leak that PR-time CI structurally cannot exercise —publish-manifestis push-only, so it never runs onpull_request. This terraform PR is the second half of the hardening: jackin-project/jackin#267 (sibling docs PR) codifies the rules that would have caught the original break in review and via a feature-branch smoke test, and this PR raises the floor on what GitHub will let merge in the first place.What's deferred
dry-run: trueinputs for the four push-only jobs (build-validator,publish-manifest,deploy,publish-preview) so the full job chain can be exercised in PR with side effects mocked. Higher cost / higher fidelity than the smoke-test rule shipped in #267; deferred until that rule plus this terraform-side raise prove insufficient.Verify locally
The plan output should show
required_approving_review_count: 0 -> 1,strict_required_status_checks_policy: false -> true, and the newrequired_checkentries on thejackinrepository'sprotect_mainruleset only — no other repos affected.