Include main branch ruleset as part of the template#40
Conversation
Adapted from d-morrison/rpt#134. Exports the live `main` ruleset to .github/rulesets/main.json with the server-assigned fields stripped, adds apply-rulesets.sh that PUTs to update / POSTs to create (idempotent), and documents what's enforced in .github/rulesets/README.md. README.Rmd / README.md get a step pointing to the script under "Setup steps". qbt-specific ruleset: required PR + required status checks (link-checker, Spellcheck, check-chars, build-deploy; non-strict) + no force-push / no deletion, Maintain-role PR-only bypass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The check-links.yml workflow declares `pull_request` as a trigger but doesn't actually produce a check run on PR events in this repo (workflow run history shows only `schedule` events firing it). Requiring it as a status check would make every PR wait forever for a context that never arrives. The live ruleset on the canonical qbt repo currently has the same gap; this commit removes it from the JSON shipped with the template so that new repos derived from the template don't inherit a broken gate. Apply the change to the live repo by running `.github/scripts/apply-rulesets.sh`. Also clarify in the rulesets README that the `build-deploy` PR check is satisfied by `preview.yml` (publish.yml is push-only), so future renames don't silently break the ruleset gate. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The "Apply branch rulesets" step described the required-checks list as (link-checker, Spellcheck, check-chars, build-deploy). link-checker was removed from main.json in the previous commit; update the README to match so the docs and the actual ruleset don't disagree. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
@claude review |
|
Claude finished @d-morrison's task in 1m 32s —— View job Code Review
Overall this is well-structured work. The idempotent PUT/POST logic is the right approach for a template-based setup, and the documentation is clear. A few things worth noting:
|
|
Claude Code CLI (local session) is working on this — paws off until I'm done. |
- apply-rulesets.sh: fail fast with a clear message if jq is missing - apply-rulesets.sh: skip ruleset files lacking a .name field (avoid a bogus POST for a ruleset literally named "null") - rulesets/README.md: document the zero-approvals (self-merge) behavior and show how to look up the ruleset ID inline before re-export - README.Rmd/README.md: note the zero-approvals behavior in the apply step Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Addressed all review observations: apply-rulesets.sh
rulesets/README.md
README.Rmd / README.md
Re-requesting review. |
|
@claude review |
|
Claude finished @d-morrison's task in 1m 8s —— View job Code Review
All four findings from the previous review are correctly addressed. Here's a brief verification pass:
Nothing blocking. The implementation is solid and the documentation is clear for template users. Ready to merge. |
|
Claude Code (remote session, ARDIA sweep) is picking this up — paws off until done. Generated by Claude Code |
The spellcheck CI was failing because 'rulesets' (added to README.Rmd:110 and README.md:111 in this PR) is not in the dictionary. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01SNxbcZHy5tYHWAzeJ9XL4J
ARD summary (ARDIA sweep)
Round-2 review verdict was "Ready to merge. No blocking issues." — all code findings were already addressed. This push re-triggers CI; once Spellcheck goes green the PR is fully clean. Generated by Claude Code |
There was a problem hiding this comment.
Pull request overview
Adds an exportable, re-applicable main branch ruleset to the template so repos created from it can programmatically enforce consistent branch protections (via a gh + jq script), and documents how to apply/maintain those rules.
Changes:
- Adds
.github/rulesets/main.jsonplus documentation describing what the ruleset enforces and how to re-export it. - Adds
.github/scripts/apply-rulesets.shto idempotently create/update all rulesets in.github/rulesets/via the GitHub API. - Updates
README.Rmd/README.mdsetup steps to include applying rulesets; updates the spellcheck wordlist.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| README.Rmd | Adds a setup step instructing admins to apply the branch ruleset after creating a repo from the template. |
| README.md | Same setup-step update as README.Rmd in rendered Markdown. |
| inst/WORDLIST | Adds “rulesets” to the spellcheck allowlist. |
| .github/scripts/apply-rulesets.sh | New script that applies all JSON rulesets to a repo using gh api. |
| .github/rulesets/README.md | Documentation for what the ruleset enforces and how to apply/re-export it. |
| .github/rulesets/main.json | Exported ruleset definition intended to protect the default branch via PR + required checks + no force-push/deletion. |
- add `gh` dependency check alongside existing `jq` check - add --paginate to `gh api` rulesets listing so repos with >30 rulesets don't silently create duplicates - fix rulesets/README.md: check-links.yml is excluded because it checks external URLs (transient failures, not PR-related), not because it doesn't run on PRs — it does have a pull_request trigger - README.Rmd / README.md: use full path .github/rulesets/main.json Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01SNxbcZHy5tYHWAzeJ9XL4J
ARD summary — Copilot round (commit
|
| # | Finding | Disposition | Detail |
|---|---|---|---|
| 1 | apply-rulesets.sh:13 — no gh dependency check; unclear error if missing |
Addressed | Added command -v gh fast-fail alongside the existing jq check. |
| 2 | apply-rulesets.sh:27 — gh api without --paginate; repos with >30 rulesets silently create duplicates |
Addressed | Changed to `gh api --paginate … |
| 3 | README.md:122 — refers to main.json; full path reduces ambiguity |
Addressed | Changed to .github/rulesets/main.json. |
| 4 | README.Rmd:119 — same as above |
Addressed | Changed to .github/rulesets/main.json. |
| 5 | rulesets/README.md:36 — says check-links.yml "not on PRs"; it does have a pull_request trigger |
Addressed | Replaced incorrect reason ("runs on schedule, not PRs") with the actual reason: it checks external URLs that can fail due to transient network issues or link rot unrelated to the PR, which would block merges on failures outside the author's control. |
| 6 | main.json:45 — PR description listed link-checker as required; JSON doesn't include it |
Addressed | Updated PR description to remove link-checker / from the required-checks list. The rulesets README now also accurately explains the exclusion. |
Push triggered CI re-run.
Generated by Claude Code
|
Adapted from d-morrison/rpt#134.
Summary
mainbranch ruleset to.github/rulesets/main.json(server-assigned fields stripped so it round-trips through the create/update endpoints)..github/scripts/apply-rulesets.shidempotently applies every JSON in.github/rulesets/to the current repo — PUT to update an existing ruleset by name, POST to create..github/rulesets/README.mddocuments what's enforced (required PR, required status checks for Spellcheck / check-chars / build-deploy, no force-push / no deletion, Maintain-role PR-only bypass) and how to re-export after editing in the UI.README.Rmd/README.md: add a one-step entry under "Setup steps" pointing to the script.Test plan
.github/scripts/apply-rulesets.shagainst it — verify the ruleset shows up under Settings → Rules → Rulesets with all required status checks listed..github/rulesets/main.json, run the script, confirm the change appears in the GitHub UI.🤖 Generated with Claude Code