docs: record enforced branch protection + GitHub App release flow#19
Merged
Conversation
main is now protected by the `Protect main — require CI` ruleset (required checks test (3.12) / test (3.13) / gitleaks; no force-push/delete). PSR pushes the release commit past it with a GitHub App token; the default GITHUB_TOKEN cannot bypass. Note the new consequence that a stale uv.lock blocks all merges, and the disable-ruleset rollback. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Documents the enforcement we just stood up, so the convention "no direct pushes to main" is no longer only prose.
CLAUDE.md → Release & safety
4175048; secretsRELEASE_APP_CLIENT_ID/RELEASE_APP_PRIVATE_KEY) because the defaultGITHUB_TOKENcannot bypass the ruleset. Notes the post-releaseuv.locklag.mainis protected by theProtect main — require CIruleset (required checkstest (3.12)·test (3.13)·gitleaks; no force-push/delete; only the App bypasses). New consequence spelled out: a staleuv.lock(or any red required check) now blocks every merge, so re-lock immediately after a release. Emergency rollback: set the ruleset todisabled.Scope kept to CLAUDE.md (the home for release/process rules); ARCHITECTURE.md stays the ARCH-1..11 code-structure invariants only.
🤖 Generated with Claude Code