Summary
Relocate the org-wide compliance ruleset JSONs (code-quality.json, pr-quality.json) from
petry-projects/.github-private/.github/rulesets/ to their correct canonical home,
petry-projects/.github/standards/rulesets/, and repoint the tooling. .github-private is reserved for
agents, skills, and their reusable workflows/assets — it must not be the source of truth for org-wide
compliance policy. This is a governance/placement cleanup that also unblocks safely evolving the
required-check set (coverage / secret-scan) for the repo-template initiative (epic #964).
Background — how this happened
Discovered during epic #964 (repo-template): a Copilot review flagged that adding coverage to the
shared code-quality.json would brick every repo lacking a coverage job — surfacing that this shared
org policy sits in the wrong repo.
Decision (the governance rule — now documented in .github/AGENTS.md)
- Org-wide standards and compliance policy (CI/workflow templates, repo settings, labels, Dependabot
policy, security config, and the codified compliance rulesets code-quality / pr-quality) are
owned by petry-projects/.github; their canonical home is standards/.
petry-projects/.github-private is scoped to agents, skills, and their reusable workflows/assets.
The one ruleset that legitimately stays there is release-channel-tags — it protects
.github-private's own pr-review/** and dev-lead/** agent-release tags.
- Rule of thumb: fleet-wide →
.github/standards/; protects an agent/skill's own assets in
.github-private → stays there. When in doubt, put it in .github and have .github-private consume it.
Scope of work
- Relocate JSONs — move
code-quality.json + pr-quality.json to
petry-projects/.github/standards/rulesets/. Leave release-channel-tags.json in .github-private.
- Repoint tooling
apply-rulesets.sh: change RULESETS_REPO / RULESETS_DIR defaults so the fleet rulesets resolve
from .github; keep a path for the .github-private-local release-channel-tags.
bootstrap-new-repo.sh: read the fleet rulesets from .github.
- Dedupe the two
apply-rulesets.sh copies (.github/scripts/ vs .github-private/scripts/) —
pick the canonical owner (the applier is org tooling → .github), or clearly delineate roles.
- Docs —
standards/github-settings.md: point the code-quality / pr-quality "source of truth" refs
at the new standards/rulesets/ location; add a Rulesets row to the AGENTS.md standards index.
- Migration safety — moving the source JSON does not change any repo's live ruleset (rulesets
live on each repo). Verify: after relocation, apply-rulesets.sh --dry-run against a sample repo
produces the identical payload it does today (no drift), and re-running is a no-op. No live ruleset is
deleted/recreated as part of the move.
- Fold-in (epic #964 / repo-template) — decide and implement the required-check set for the
relocated code-quality:
- Template + new repos should require the full producible set (incl.
Secret scan (gitleaks) and the
stack-aware coverage).
- Fleet-wide addition of
coverage requires backfilling a coverage job into existing repos first (they
currently lack one) — otherwise it bricks them. Sequence: (a) ship the jobs via the template ci.yml
and backfill existing repos, (b) then add the contexts to the shared ruleset. Until backfilled, keep
the stricter set scoped to the template / new repos.
Acceptance criteria
Out of scope
- The fleet-wide coverage backfill itself (its own migration, referenced above).
release-channel-tags.json (correctly stays in .github-private).
- Any change to what the checks do — this is a placement + sequencing cleanup.
Summary
Relocate the org-wide compliance ruleset JSONs (
code-quality.json,pr-quality.json) frompetry-projects/.github-private/.github/rulesets/to their correct canonical home,petry-projects/.github/standards/rulesets/, and repoint the tooling..github-privateis reserved foragents, skills, and their reusable workflows/assets — it must not be the source of truth for org-wide
compliance policy. This is a governance/placement cleanup that also unblocks safely evolving the
required-check set (coverage / secret-scan) for the repo-template initiative (epic #964).
Background — how this happened
code-quality.jsonwas added to.github-privateon 2026-05-14 under an ad-hoc "compliance fix"(issue fix: add GH_TOKEN preflight check to compliance-audit.sh #60 / PR fix: encode compliance-fix learnings into standards and Claude prompt #86), before the org-standards structure and repo-boundary conventions matured.
apply-rulesets.sh(issue #868 / PR #889, initiative docs(standards): add Advanced Security (GHAS) org standard #495) then anchored on that location — itsRULESETS_REPOdefaults topetry-projects/.github-private— andbootstrap-new-repo.sh(#967/#972) consumed the same path.
.github-private, while.githubholds only the documentation (standards/github-settings.md) plus a duplicate copy ofapply-rulesets.sh. The standard is split across two repos with a duplicated applier.Discovered during epic #964 (repo-template): a Copilot review flagged that adding
coverageto theshared
code-quality.jsonwould brick every repo lacking a coverage job — surfacing that this sharedorg policy sits in the wrong repo.
Decision (the governance rule — now documented in
.github/AGENTS.md)policy, security config, and the codified compliance rulesets
code-quality/pr-quality) areowned by
petry-projects/.github; their canonical home isstandards/.petry-projects/.github-privateis scoped to agents, skills, and their reusable workflows/assets.The one ruleset that legitimately stays there is
release-channel-tags— it protects.github-private's ownpr-review/**anddev-lead/**agent-release tags..github/standards/; protects an agent/skill's own assets in.github-private→ stays there. When in doubt, put it in.githuband have.github-privateconsume it.Scope of work
code-quality.json+pr-quality.jsontopetry-projects/.github/standards/rulesets/. Leaverelease-channel-tags.jsonin.github-private.apply-rulesets.sh: changeRULESETS_REPO/RULESETS_DIRdefaults so the fleet rulesets resolvefrom
.github; keep a path for the.github-private-localrelease-channel-tags.bootstrap-new-repo.sh: read the fleet rulesets from.github.apply-rulesets.shcopies (.github/scripts/vs.github-private/scripts/) —pick the canonical owner (the applier is org tooling →
.github), or clearly delineate roles.standards/github-settings.md: point the code-quality / pr-quality "source of truth" refsat the new
standards/rulesets/location; add aRulesetsrow to the AGENTS.md standards index.live on each repo). Verify: after relocation,
apply-rulesets.sh --dry-runagainst a sample repoproduces the identical payload it does today (no drift), and re-running is a no-op. No live ruleset is
deleted/recreated as part of the move.
relocated
code-quality:Secret scan (gitleaks)and thestack-aware
coverage).coveragerequires backfilling a coverage job into existing repos first (theycurrently lack one) — otherwise it bricks them. Sequence: (a) ship the jobs via the template
ci.ymland backfill existing repos, (b) then add the contexts to the shared ruleset. Until backfilled, keep
the stricter set scoped to the template / new repos.
Acceptance criteria
code-quality.json+pr-quality.jsonlive underpetry-projects/.github/standards/rulesets/;removed from
.github-private/.github/rulesets/(onlyrelease-channel-tags.jsonremains there).apply-rulesets.sh+bootstrap-new-repo.shresolve fleet rulesets from.githubby default;apply-rulesets.shis de-duplicated (single canonical owner).apply-rulesets.sh --dry-runon a sample repo yields a byte-identical payload pre/post move (proofof no live drift); re-run is a no-op.
standards/github-settings.md+AGENTS.mdreference the new location; AGENTS.md carries therepo-boundary rule (done in the guidance PR).
code-qualityis sequenced safely (no existing repo bricked); coverageis not added fleet-wide until repos produce it.
Out of scope
release-channel-tags.json(correctly stays in.github-private).