diff --git a/deploy/organization-rulesets/README.md b/deploy/organization-rulesets/README.md index a058d4a..90dd9f8 100644 --- a/deploy/organization-rulesets/README.md +++ b/deploy/organization-rulesets/README.md @@ -33,7 +33,6 @@ verb — e.g. `require-pull-request.yaml`). Repo-scoped rulesets live next door |---|---|---| | 10 `OrganizationRuleset` files | the 10 org rulesets below | Observe (read-only import) | | `protect-release-tags.yaml` | **Protect release tags** (net-new) | Managed (Create) — block tag delete + force-move + require `v` | -| `require-status-checks-coderabbit-review.yaml` | **Require status checks to pass - CodeRabbit** (net-new) | Managed (Create) — require the `CodeRabbit` status check on the default branch of every repo | | (in `../repository-rulesets/`) `require-merge-queue-on-platform.yaml` | `platform` "Require merge queue" | Observe (read-only import) | The 10 imported org rulesets: Block force pushes · Require a pull request before @@ -73,6 +72,18 @@ These are tracked for re-adoption as the provider gains support in [#69](https://github.com/devantler-tech/.github/issues/69) (`roadmap`). Re-home each here Observe-first once expressible. +> **⚠️ `required_status_checks` rulesets are expressible but NOT provider-creatable.** +> A required-status-check org ruleset (requiring the `CodeRabbit` check) was added in +> [#74](https://github.com/devantler-tech/.github/pull/74) and **reverted** — on create the +> provider **panics**: `terraform-provider-github` v6.6.0 (`respository_rules_utils.go:343`) +> does `requiredStatusMap["do_not_enforce_on_create"].(bool)`, but `provider-upjet-github` +> v0.19.1's CRD doesn't expose `doNotEnforceOnCreate`, so the key is `nil` → `nil.(bool)` +> panics. The field can't be set from the CR to avoid it, and v0.19.1 is the latest release. +> So **"Require status checks to pass"** (and any CodeRabbit equivalent) must stay +> **UI-created + Observe-imported** until the provider is fixed; that is also why the +> `require-status-checks.yaml` import here is Observe-only. Tracked in +> [#69](https://github.com/devantler-tech/.github/issues/69). + ## Push / tag / Actions-policy considerations - **Push rulesets** — none exist, and **not adoptable**: the provider supports diff --git a/deploy/organization-rulesets/kustomization.yaml b/deploy/organization-rulesets/kustomization.yaml index 5c48fed..2e9bffa 100644 --- a/deploy/organization-rulesets/kustomization.yaml +++ b/deploy/organization-rulesets/kustomization.yaml @@ -1,7 +1,6 @@ # `OrganizationRuleset` resources — one per file, named after the rule (an active verb). -# 10 existing org rulesets are adopted Observe-first (read-only) and 2 net-new rulesets -# (1 tag, 1 branch) are managed (Create). The 10 org rulesets the provider cannot express -# remain UI-managed — +# 10 existing org rulesets are adopted Observe-first (read-only) and 1 net-new tag ruleset +# is managed (Create). The 10 org rulesets the provider cannot express remain UI-managed — # see ./README.md for the importability matrix and the push/tag/Actions-policy analysis. # Repo-scoped rulesets live in ../repository-rulesets/. Included by ../kustomization.yaml. apiVersion: kustomize.config.k8s.io/v1beta1 @@ -20,4 +19,3 @@ resources: - require-workflows-dependency-review.yaml # Net-new, managed (Create). - protect-release-tags.yaml - - require-status-checks-coderabbit-review.yaml diff --git a/deploy/organization-rulesets/protect-release-tags.yaml b/deploy/organization-rulesets/protect-release-tags.yaml index c10514e..300a3fd 100644 --- a/deploy/organization-rulesets/protect-release-tags.yaml +++ b/deploy/organization-rulesets/protect-release-tags.yaml @@ -1,5 +1,4 @@ -# Protect release tags — a net-new, actually-managed org ruleset (see also -# require-status-checks-coderabbit-review.yaml; the rest in this directory are Observe-only imports). +# Protect release tags — the ONE net-new, actually-managed ruleset in deploy/rulesets/. # # The org ships every product by tagging a `v*` release (each repo's cd.yaml triggers # on `v*`), yet had NO tag ruleset — release tags could be deleted or force-moved. diff --git a/deploy/organization-rulesets/require-status-checks-coderabbit-review.yaml b/deploy/organization-rulesets/require-status-checks-coderabbit-review.yaml deleted file mode 100644 index e38c002..0000000 --- a/deploy/organization-rulesets/require-status-checks-coderabbit-review.yaml +++ /dev/null @@ -1,62 +0,0 @@ -# Require status checks to pass - CodeRabbit — a net-new, actually-managed org ruleset -# (like protect-release-tags.yaml; NOT an Observe import, so it has no external-name). -# Named/grouped under the "require-status-checks" concern: a dedicated managed ruleset -# rather than folding into the Observe-only require-status-checks.yaml import (promoting -# that import is a lossy round-trip — see ./README.md and the bypassActors note below). -# -# CodeRabbit (the `coderabbitai` GitHub App, installed org-wide) posts a commit -# status named `CodeRabbit` once it has reviewed a PR. This `OrganizationRuleset` -# makes that status a REQUIRED check on the default branch of every repo, so a PR -# cannot merge until CodeRabbit has published its review. -# - target: branch; conditions ~DEFAULT_BRANCH on ~ALL repos — mirrors the sibling -# "Require status checks to pass" ruleset's scope (every PR merges into default). -# - requiredStatusChecks → requiredCheck context `CodeRabbit` (exact, case-sensitive -# status context); strictRequiredStatusChecksPolicy: false to match that sibling -# (don't force branch-up-to-date — the org already auto-suggests updating PR branches). -# -# Net-new like protect-release-tags.yaml: managed (Observe + Create + Update + -# LateInitialize, never Delete) — Crossplane CREATES it on first reconcile, then syncs. -# -# bypassActors: OrganizationAdmin/always (actorId 0 — the round-trip-safe form observed -# on the sibling "Require status checks to pass" ruleset). Kept as an escape hatch: an -# org-wide required check would otherwise block ALL merges during a CodeRabbit outage, -# and v0.19.1 cannot express the API's `do_not_enforce_on_create` (so the rule is -# enforced from branch creation too). Remove this block for a no-bypass gate. -# -# requiredCheck is pinned to the CodeRabbit GitHub App via integrationId 347564 (the -# `coderabbitai` app id, verified `gh api /apps/coderabbitai`) so only that app's status -# satisfies the gate — a spoofed `CodeRabbit` status from another source/app cannot. -apiVersion: enterprise.github.m.upbound.io/v1alpha1 -kind: OrganizationRuleset -metadata: - name: require-status-checks-coderabbit-review -spec: - managementPolicies: - - Observe - - Create - - Update - - LateInitialize - forProvider: - name: Require status checks to pass - CodeRabbit - target: branch - enforcement: active - conditions: - - refName: - - include: ["~DEFAULT_BRANCH"] - exclude: [] - repositoryName: - - include: ["~ALL"] - exclude: [] - rules: - - requiredStatusChecks: - - requiredCheck: - - context: CodeRabbit - integrationId: 347564 # pin to the coderabbitai app (anti-spoofing) - strictRequiredStatusChecksPolicy: false - bypassActors: - - actorId: 0 - actorType: OrganizationAdmin - bypassMode: always - providerConfigRef: - kind: ProviderConfig - name: default