Skip to content

revert(rulesets): drop the provider-uncreatable CodeRabbit required-check ruleset#75

Merged
botantler-1[bot] merged 1 commit into
mainfrom
claude/rulesets-revert-coderabbit-create-panic
Jun 27, 2026
Merged

revert(rulesets): drop the provider-uncreatable CodeRabbit required-check ruleset#75
botantler-1[bot] merged 1 commit into
mainfrom
claude/rulesets-revert-coderabbit-create-panic

Conversation

@devantler

@devantler devantler commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Reverts #74 — the merged OrganizationRuleset fails to reconcile on-cluster, and cannot be made to work with the current provider.

Symptom

create failed: async create failed: recovered from panic:
interface conversion: interface {} is nil, not bool

(OrganizationRuleset/github-config/require-status-checks-coderabbit-review, panic loop every ~60s.)

Root cause

terraform-provider-github v6.6.0 (bundled in provider-upjet-github v0.19.1) expands the required_status_checks rule with an unchecked assertion — respository_rules_utils.go:343:

doNotEnforceOnCreate := requiredStatusMap["do_not_enforce_on_create"].(bool)

But v0.19.1's CRD does not expose doNotEnforceOnCreate (verified: absent from the live CRD), so the key is nil at runtime → nil.(bool) panics. The field can't be set from the CR to avoid the nil, v0.19.1 is the latest release, and the same shared code path means RepositoryRuleset would panic too. So no required_status_checks ruleset is provider-creatable today — which is why every existing status-check ruleset here is UI-created + Observe-imported.

The strict server-side dry-run that validated #74 only checks the CRD schema, never the provider/GitHub API, so it could not catch a runtime panic in the Terraform layer.

Impact / safety

The CR never created a GitHub ruleset (external-name is null), so nothing is orphaned and no merges are or were gated — the CodeRabbit check is not currently enforced. This revert restores a clean, green deploy/ reconcile.

Path forward (the CodeRabbit gate still needs a home)

Because the provider can't create required-status-check rulesets, the requirement must be UI-created + Observe-imported, exactly like the existing "Require status checks to pass" ruleset. Recommended: add the CodeRabbit context (pinned to app 347564) to that existing ruleset in the UI — it's already Observe-imported here, so no new resource is needed and nothing would drift. I can also file the upstream provider bug. README now documents this limitation so it isn't retried.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Added management for release tag protection as a provider-managed organization ruleset.
  • Bug Fixes

    • Removed the previously documented status-check ruleset from provider-managed rollout.
    • Clarified that required status check rulesets must be created in the UI and then imported for observation only.
  • Documentation

    • Updated the organization rulesets guide to reflect the current managed ruleset set and the correct setup guidance.

…heck ruleset

Reverts #74. The merged OrganizationRuleset failed to reconcile on-cluster:

  create failed: async create failed: recovered from panic:
  interface conversion: interface {} is nil, not bool

Root cause: terraform-provider-github v6.6.0 (bundled in provider-upjet-github
v0.19.1) expands required_status_checks via
`requiredStatusMap["do_not_enforce_on_create"].(bool)`
(respository_rules_utils.go:343), but v0.19.1's CRD does not expose
`doNotEnforceOnCreate`, so the key is nil at runtime → nil.(bool) panics. The
field can't be set from the CR to avoid it, and v0.19.1 is the latest release,
so no `required_status_checks` ruleset is provider-creatable today. The strict
server dry-run that validated #74 only checks the CRD schema, never the
provider/GitHub API, so it could not catch this.

The CR never created a GitHub ruleset (external-name is null), so nothing is
orphaned and no merges are gated. README documents the limitation; the
CodeRabbit gate must stay UI-created + Observe-imported (like the existing
"Require status checks to pass") until the provider is fixed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 27, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 89f4efe5-6136-4f64-a6f2-b60a24972acf

📥 Commits

Reviewing files that changed from the base of the PR and between 95356b8 and bf6cfe9.

📒 Files selected for processing (4)
  • deploy/organization-rulesets/README.md
  • deploy/organization-rulesets/kustomization.yaml
  • deploy/organization-rulesets/protect-release-tags.yaml
  • deploy/organization-rulesets/require-status-checks-coderabbit-review.yaml

📝 Walkthrough

Walkthrough

Removes the require-status-checks-coderabbit-review.yaml OrganizationRuleset manifest and its kustomization entry, leaving protect-release-tags.yaml as the sole provider-managed (Create) ruleset. The README is updated to reflect this and adds a warning that required_status_checks org rulesets cannot be provider-created due to a panic in terraform-provider-github v6.6.0.

Changes

Revert CodeRabbit required-status-checks org ruleset

Layer / File(s) Summary
Remove manifest and update kustomization
deploy/organization-rulesets/require-status-checks-coderabbit-review.yaml, deploy/organization-rulesets/kustomization.yaml, deploy/organization-rulesets/protect-release-tags.yaml
Deletes the 62-line OrganizationRuleset manifest, removes it from the kustomization resources list, and updates the header comment from "tag + branch (2)" to "tag only (1)". The protect-release-tags.yaml comment is updated to note it is now the sole net-new managed ruleset.
README table and provider limitation warning
deploy/organization-rulesets/README.md
Updates the "What is managed here" table to list protect-release-tags.yaml as the sole Create-managed ruleset. Adds a warning block documenting that required_status_checks org rulesets cause a provider panic on create due to a missing doNotEnforceOnCreate field, mandating UI-created + Observe-imported for those rulesets.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

  • devantler-tech/.github#74: Directly reverts the addition of require-status-checks-coderabbit-review.yaml and its kustomization/README entries that this PR cleans up.

Poem

🐇 Hippity hop, the ruleset must go,
The provider it panicked — oh no, oh no!
One tag to protect, that's all we need,
The CodeRabbit check? Import with speed.
A warning now docs what the provider can't do,
Clean kustomization, fresh README too! ✨

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/rulesets-revert-coderabbit-create-panic

Comment @coderabbitai help to get the list of available commands.

@botantler-1 botantler-1 Bot enabled auto-merge (squash) June 27, 2026 23:47
@botantler-1 botantler-1 Bot merged commit ccf90b8 into main Jun 27, 2026
7 of 8 checks passed
botantler-1 Bot pushed a commit that referenced this pull request Jun 27, 2026
The revert #75 (dropping the panic-on-create CodeRabbit ruleset) merged to
main but semantic-release reported "no release": the default release rules
cover feat/fix/perf but not the `revert` type, so the deploy/ change was never
published — the github-config OCI artifact stayed at v1.8.0 (which still
contains the broken ruleset) and the failing OrganizationRuleset CR was never
pruned.

Add a commit-analyzer releaseRule mapping `revert` -> patch so revert commits
cut a release (and reach the cluster). This `fix:` commit itself triggers the
patch that republishes current main — with #75's removal already applied.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant