Skip to content

docs: record enforced branch protection + GitHub App release flow #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bim-ba merged 1 commit into from
Jun 29, 2026
Merged

docs: record enforced branch protection + GitHub App release flow #19

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 16 additions & 4 deletions CLAUDE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,14 @@ Claude Code **plugin** under `plugins/yandex-360/`. Published on PyPI as `yandex

## Release & safety

- **Auto-release on push to main.** Every push to `main` runs python-semantic-release,
which versions from Conventional Commits and publishes to PyPI. Use `feat:` / `fix:` /
`docs:` / `chore:` … prefixes; the squash-merge title becomes the release.
- **Auto-release on push to main.** Every push to `main` runs python-semantic-release (PSR),
which versions from Conventional Commits and publishes to PyPI (OIDC trusted publishing).
Use `feat:` / `fix:` / `docs:` / `chore:` … prefixes; the squash-merge title becomes the
release. PSR pushes the release commit + tag back to `main` with a short-lived **GitHub App**
installation token (App ID `4175048`; secrets `RELEASE_APP_CLIENT_ID` /
`RELEASE_APP_PRIVATE_KEY`, minted in `release.yml`) — the default `GITHUB_TOKEN` cannot bypass
the branch-protection ruleset below, so the App token is what lets a release land. After a
release, `uv.lock`'s own version lags `pyproject` until you re-lock (see the gate bullet).
- **Never write a skip-ci token.** `[skip ci]` / `[ci skip]` / `[no ci]` / `[skip actions]` /
`[actions skip]`, or a `skip-checks: true` commit trailer, anywhere in a commit **or
squash-merge** message makes GitHub silently cancel the workflow run — and with it the
Expand All @@ -59,7 +64,14 @@ Claude Code **plugin** under `plugins/yandex-360/`. Published on PyPI as `yandex
holds only `${VAR}` references — config and tests never embed literal values.
- **Reproducible artifacts.** Generated demos/tables come from a committed source —
regenerate, never hand-author (the `demo.svg` incident).
- **Branch → PR → explicit approval before merge.** No direct pushes to `main`.
- **Branch → PR → explicit approval before merge — enforced.** `main` is protected by a
repository ruleset (`Protect main — require CI`): the checks `test (3.12)` · `test (3.13)` ·
`gitleaks` are **required** before any merge, and `main` cannot be force-pushed or deleted.
No direct pushes to `main`; only the release GitHub App (ID `4175048`) bypasses, so PSR can
land the release commit. **Consequence:** any red required check — including a stale `uv.lock`
after a release, where `uv sync --locked` fails — now *blocks every merge*, not just reds CI.
Re-lock (`uv lock`) and ship a `build:` commit immediately after each release. **Emergency
rollback:** set the ruleset to `disabled` (GitHub → Settings → Rules), fix, re-enable.
- **100% coverage gate.** `uv run pytest` enforces `--cov-fail-under=100`; new code ships
with tests that keep it green.
- **New resources via `/new-endpoint`**, respecting the invariants in
Expand Down