Skip to content

Relocate org-wide compliance rulesets (code-quality, pr-quality) from .github-private to .github/standards/rulesets/ #575

Description

@don-petry

Summary

Relocate the org-wide compliance ruleset JSONs (code-quality.json, pr-quality.json) from
petry-projects/.github-private/.github/rulesets/ to their correct canonical home,
petry-projects/.github/standards/rulesets/, and repoint the tooling. .github-private is reserved for
agents, skills, and their reusable workflows/assets — it must not be the source of truth for org-wide
compliance policy. This is a governance/placement cleanup that also unblocks safely evolving the
required-check set (coverage / secret-scan) for the repo-template initiative (epic #964).

Background — how this happened

Discovered during epic #964 (repo-template): a Copilot review flagged that adding coverage to the
shared code-quality.json would brick every repo lacking a coverage job — surfacing that this shared
org policy sits in the wrong repo.

Decision (the governance rule — now documented in .github/AGENTS.md)

  • Org-wide standards and compliance policy (CI/workflow templates, repo settings, labels, Dependabot
    policy, security config, and the codified compliance rulesets code-quality / pr-quality) are
    owned by petry-projects/.github; their canonical home is standards/.
  • petry-projects/.github-private is scoped to agents, skills, and their reusable workflows/assets.
    The one ruleset that legitimately stays there is release-channel-tags — it protects
    .github-private's own pr-review/** and dev-lead/** agent-release tags.
  • Rule of thumb: fleet-wide → .github/standards/; protects an agent/skill's own assets in
    .github-private → stays there. When in doubt, put it in .github and have .github-private consume it.

Scope of work

  1. Relocate JSONs — move code-quality.json + pr-quality.json to
    petry-projects/.github/standards/rulesets/. Leave release-channel-tags.json in .github-private.
  2. Repoint tooling
    • apply-rulesets.sh: change RULESETS_REPO / RULESETS_DIR defaults so the fleet rulesets resolve
      from .github; keep a path for the .github-private-local release-channel-tags.
    • bootstrap-new-repo.sh: read the fleet rulesets from .github.
    • Dedupe the two apply-rulesets.sh copies (.github/scripts/ vs .github-private/scripts/) —
      pick the canonical owner (the applier is org tooling → .github), or clearly delineate roles.
  3. Docsstandards/github-settings.md: point the code-quality / pr-quality "source of truth" refs
    at the new standards/rulesets/ location; add a Rulesets row to the AGENTS.md standards index.
  4. Migration safety — moving the source JSON does not change any repo's live ruleset (rulesets
    live on each repo). Verify: after relocation, apply-rulesets.sh --dry-run against a sample repo
    produces the identical payload it does today (no drift), and re-running is a no-op. No live ruleset is
    deleted/recreated as part of the move.
  5. Fold-in (epic #964 / repo-template) — decide and implement the required-check set for the
    relocated code-quality:
    • Template + new repos should require the full producible set (incl. Secret scan (gitleaks) and the
      stack-aware coverage).
    • Fleet-wide addition of coverage requires backfilling a coverage job into existing repos first (they
      currently lack one) — otherwise it bricks them. Sequence: (a) ship the jobs via the template ci.yml
      and backfill existing repos, (b) then add the contexts to the shared ruleset. Until backfilled, keep
      the stricter set scoped to the template / new repos.

Acceptance criteria

  • code-quality.json + pr-quality.json live under petry-projects/.github/standards/rulesets/;
    removed from .github-private/.github/rulesets/ (only release-channel-tags.json remains there).
  • apply-rulesets.sh + bootstrap-new-repo.sh resolve fleet rulesets from .github by default;
    apply-rulesets.sh is de-duplicated (single canonical owner).
  • apply-rulesets.sh --dry-run on a sample repo yields a byte-identical payload pre/post move (proof
    of no live drift); re-run is a no-op.
  • standards/github-settings.md + AGENTS.md reference the new location; AGENTS.md carries the
    repo-boundary rule (done in the guidance PR).
  • Required-check-set change for code-quality is sequenced safely (no existing repo bricked); coverage
    is not added fleet-wide until repos produce it.

Out of scope

  • The fleet-wide coverage backfill itself (its own migration, referenced above).
  • release-channel-tags.json (correctly stays in .github-private).
  • Any change to what the checks do — this is a placement + sequencing cleanup.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions