This is the organization-level .github repository for Impel-Marketing-AI. GitHub treats this repo as a special location for shared configuration, reusable workflows, community health files, and label definitions that apply across all repositories in the org.
Visibility: Private — contents are available to all repos within the org but not publicly visible.
.github/ ← repo root
├── .github/
│ ├── release-drafter.yml ← Org-wide Release Drafter config
│ └── workflows/
│ └── qa-gate.yml ← Reusable QA Gate workflow
├── CODEOWNERS ← Org-wide code ownership rules
├── labels/
│ └── labels.json ← Shared label definitions
├── PULL_REQUEST_TEMPLATE.md ← Org-wide default PR template
└── README.md ← This file
The PULL_REQUEST_TEMPLATE.md at the repo root acts as the default PR template for every repository in the org that doesn't define its own. When a contributor opens a pull request in any org repo, GitHub automatically pre-fills the PR body with this template — enforcing a consistent format that includes a summary, Jira link, type-of-change checklist, and testing notes.
A repo can override the org default by placing its own PULL_REQUEST_TEMPLATE.md (or a .github/PULL_REQUEST_TEMPLATE/ directory) in its own repository.
Reference: GitHub Docs — Creating a default community health file
The .github/release-drafter.yml file in this repo serves as the default Release Drafter configuration for all repositories in the org. This works because Release Drafter has built-in support for org-level config inheritance from the .github repository.
How it works:
- When Release Drafter runs in a repo, it looks for a config file in this order:
- The repo's own
.github/release-drafter.yml(or the path set viaconfig-name) - The org
.githubrepo's.github/release-drafter.yml(automatic fallback)
- The repo's own
- If a repo has no local config and no
config-nameoverride, it automatically picks up the org-level config from this repo.
For consuming repos, no extra setup is needed — just ensure:
- The repo's build workflow calls
release-drafter/release-drafter@v6without aconfig-nameinput - There is no local
.github/release-drafter.ymlin the repo (otherwise it takes precedence)
A repo can still override the org config by adding its own .github/release-drafter.yml.
Reference: Release Drafter — Configuration options
| Workflow | File | Purpose |
|---|---|---|
| QA Gate | .github/workflows/qa-gate.yml |
Checks PRs for the qa: tested label before allowing merge. Reports pass/fail as a QA Gate status check. |
The labels/labels.json file defines standardized labels used across org repositories:
| Label | Color | Purpose |
|---|---|---|
qa: needs testing |
#D4A017 |
PR is ready for QA verification |
qa: tested |
#13A688 |
QA has verified the changes in this PR |
qa: failed |
#D03C38 |
QA found issues with this PR |
feature |
#410099 |
Release-drafter: new feature or capability |
enhancement |
#635DFF |
Release-drafter: improvement to existing feature |
fix |
#E5534B |
Release-drafter: bug fix |
bug |
#E5534B |
Release-drafter: something isn't working |
chore |
#8B8680 |
Release-drafter: maintenance, refactoring, or tooling |
dependencies |
#1D76DB |
Release-drafter: dependency updates |
Any repository in the org can reference a reusable workflow from this repo using the uses keyword with the full org path. Per GitHub security best practices, pin the reference to a commit SHA rather than a branch name to ensure immutable, auditable builds.
# .github/workflows/qa-gate.yml (in the consuming repo)
name: QA Gate
on:
pull_request:
types: [opened, labeled, unlabeled, synchronize]
branches: [develop, 'releases/*']
jobs:
qa-gate:
# Pin to a specific commit SHA for security — update when the reusable workflow changes
uses: Impel-Marketing-AI/.github/.github/workflows/qa-gate.yml@afe23d613d2eff78c62c4e6241674aa2f9ce8156Tip: To find the latest SHA, run
git ls-remote https://github.com/Impel-Marketing-AI/.github refs/heads/mainor check the latest commit on themainbranch.
The caller workflow is typically only a few lines — all logic lives in the reusable workflow in this repo.
The reusable QA Gate workflow needs to remove labels and post comments on pull requests. Because reusable workflows inherit the caller's GITHUB_TOKEN permissions, the caller must ensure the token has the required scopes.
| Permission | Level | Why |
|---|---|---|
pull-requests |
write |
Remove the qa: tested label when the PR author self-applies it; post an explanatory comment |
Note:
contents: readis not required by the QA Gate workflow (it usesactions/github-scriptfor API calls only — no checkout or file access). When you add apermissionsblock, GitHub restricts the token to only the permissions you explicitly list, socontents: readis intentionally not granted (and therefore not listed) because it is not needed.
Option A — Rely on org/repo defaults (recommended)
If your org or repo default token permissions already include pull-requests: write (GitHub's default for non-fork PRs), no permissions block is needed in the caller workflow:
name: QA Gate
on:
pull_request:
types: [opened, labeled, unlabeled, synchronize]
branches: [develop, 'releases/*']
jobs:
qa-gate:
uses: Impel-Marketing-AI/.github/.github/workflows/qa-gate.yml@afe23d613d2eff78c62c4e6241674aa2f9ce8156Option B — Explicit permissions (if org defaults are restrictive)
If your org or repo has set the default GITHUB_TOKEN to read-only, you must explicitly grant the required permissions in the caller:
name: QA Gate
on:
pull_request:
types: [opened, labeled, unlabeled, synchronize]
branches: [develop, 'releases/*']
permissions:
pull-requests: write
jobs:
qa-gate:
uses: Impel-Marketing-AI/.github/.github/workflows/qa-gate.yml@afe23d613d2eff78c62c4e6241674aa2f9ce8156Warning: Setting only
permissions: contents: read(withoutpull-requests: write) will break the QA Gate workflow — it will be unable to remove labels or post comments.
The QA Gate workflow is enforced via GitHub org-level rulesets:
- Ruleset:
QA Gate – Develop & Releases - Scope:
mfe-location-management(POC), branchesdevelopandreleases/* - Required check:
QA Gate - Bypass: Org admins only