Skip to content
This repository was archived by the owner on Mar 10, 2026. It is now read-only.
This repository was archived by the owner on Mar 10, 2026. It is now read-only.

Repository governance gaps: admin overrides required for all operations #5

Open
Open
Repository governance gaps: admin overrides required for all operations#5
@avrabe

Description

@avrabe
avrabe
opened on Mar 1, 2026

Problem

During a docs-only terminology pass across all 16 PulseEngine repositories, every merge and push required --admin override to bypass branch protection. This defeats the purpose of having branch protection and exposes a systematic governance gap.

What happened

Operation Repos affected Issue
git push to main .github, loom Bypassed: "Changes must be made through a pull request" + "3 of 3 required status checks are expected"
gh pr merge --admin meld, sigil, rules_wasm_component, rules_rocq_rust, wasi-mcp, thrum No CI checks ran on any PR; merge required admin bypass
Merge strategy thrum Only rebase allowed; other repos have no consistent policy

Root causes

1. CI doesn't trigger on PRs
None of the 6 PRs had CI status checks. Workflows either only trigger on main push events or don't cover the branches used. Branch protection requires status checks that never run.

2. repos.toml only covers 3 of 16 repositories
The PulseEngine example config only registers Loom, Meld, and Synth. The other crown jewels (Kiln, Sigil) and all supporting repos (rules_*, wasi-mcp, thrum, temper, mcp, etc.) are unmanaged.

3. safety.toml has placeholder URLs

repository_url = "https://github.com/example/loom"   # should be pulseengine/loom
repository_url = "https://github.com/example/synth"   # should be pulseengine/synth

4. No org-wide merge strategy standard
Thrum enforces rebase-only. Other repos allow anything. No consistency.

5. No docs-only CI bypass path
README-only changes triggered full test suites (Loom's stress test ran 20+ minutes before being killed). There's no lightweight path for docs PRs.

Proposed solution

Short-term

  • Fix safety.toml placeholder URLs → pulseengine/*
  • Add all 16 repos to examples/pulseengine/repos.toml
  • Ensure CI workflows trigger on pull_request events (not just push to main)

Medium-term

  • Define org-wide merge strategy (rebase-only?) and enforce via Temper or GitHub rulesets
  • Add path-based CI skip for docs-only changes (paths-ignore: ['**.md', 'docs/**'] or a lighter "docs-only" job)
  • Align branch protection required status checks with actual CI workflow job names

Long-term

  • Thrum should be able to validate repo governance as a gate (e.g., "does this repo have correct branch protection?")
  • Consider a repos.toml generator that discovers all org repos and their configurations

Context

This was discovered during the terminology alignment pass (PRs: meld#4, sigil#45, rules_wasm_component#383, rules_rocq_rust#21, wasi-mcp#7, thrum#4).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions