feat(rulesets): reverse-engineer org branch protection + add review gate, conventional commits#4
Merged
Conversation
…ate, conventional commits Codifies the pre-Terraform live state of the org-level rulesets and applies the directives from #2/#3 review. Single PR because the imports must land together with the new resources to avoid duplicate ruleset creation on next apply. New rulesets ------------ - `github_organization_ruleset.org_branch_protection` — non-bypassable quality gate on every default branch. Reverse-engineered from the pre-Terraform "main" org ruleset (id 15555419) and extended with strict Conventional Commits enforcement. Rules: - required_linear_history = true - required_signatures = true - branch_name_pattern = starts_with (main|develop|feat|fix|hotfix|release|chore) - commit_message_pattern = regex enforcing Conventional Commits v1.0.0 - pull_request = thread resolution required, 0 approvers (the approver requirement lives in org_review_gate with admin bypass) No bypass_actors: signed commits, linear history, and Conventional Commits apply to every actor including OrganizationAdmins. - `github_organization_ruleset.org_review_gate` — separate ruleset so the admin bypass below doesn't accidentally weaken the quality gates above. Rules: - pull_request { required_approving_review_count = 1, require_code_owner_review = true, required_review_thread_resolution = true, allowed_merge_methods = [squash, rebase] } bypass_actors: OrganizationAdmin (actor_id=1, the API constant) in pull_request mode. Any OrganizationAdmin merges their own PRs without external review; non-admin actors must obtain the review. GitHub rulesets do not support per-author conditional rules. The closest approximation — "everyone but an admin needs a reviewer" — is implemented via OrganizationAdmin bypass. Granting a new account the OrganizationAdmin role extends this bypass to them. Existing ruleset reconciled --------------------------- - `github_organization_ruleset.markdown_lint` updated to match live state for clean import: ref_name = ~ALL (was ~DEFAULT_BRANCH), do_not_enforce_on_create = true. Default enforcement stays "evaluate" (legacy default); pass `-var markdown_lint_enforcement=active` to flip on. Live is currently "disabled" — apply moves it to "evaluate". Import blocks ------------- Declared in rulesets.tf so `tofu apply` adopts pre-Terraform state in the same run that adds the new resources: import { to = github_organization_ruleset.org_branch_protection id = "15555419" } import { to = github_organization_ruleset.markdown_lint id = "17062292" } org_review_gate is new (no existing live ruleset), so no import needed. Config — no magic numbers ------------------------- - config/rulesets-defaults.yml gains a `branch_protection` block with the branch name pattern, the Conventional Commits regex, and the allowed merge methods. Patterns are tunable here without editing .tf. - locals.tf decodes the full config file once and exposes per-section locals (push_protection_defaults, branch_protection_defaults). Conventions — identities out of source tree ------------------------------------------- - AGENTS.md adds a "No identities anywhere except providers.tf owner" rule. No usernames, account logins, or person-tied identifiers in .tf resource bodies, comments, variable descriptions, config/*.yml, or CODEOWNERS-style files committed in this repo. CODEOWNERS for managed repos materializes at apply time from a Terraform variable. - The `.github/CODEOWNERS` file that an earlier commit attempt added is intentionally NOT in this PR — it would have hardcoded an owner login. CODEOWNERS for this repo and all dryvist repos lands in a follow-up PR via `github_repository_file` with the owner identity as a `-var` input. Conventions — cost policy ------------------------- - AGENTS.md adds a "Cost policy" section documenting GitHub's pricing model and the rule "never apply a policy or enable a feature that costs money unless the PR body declares the cost and the operator approves it." Includes a matrix of free / GHAS-gated / metered / subscription features as of 2026-05, with sources, and a per-PR cost-impact checklist for any change that touches Actions, GHAS, Codespaces, Copilot, or org/repo settings affecting those. Variables --------- - New: org_branch_protection_enforcement (default "active") - New: org_review_gate_enforcement (default "active") Apply ----- Requires the ORG_ADMIN token tier (gh-claude-org-admin). Apply will: 1. Adopt rulesets 15555419 and 17062292 into Terraform state 2. Rename the imported rulesets to org-branch-protection / org-markdown-lint 3. Add commit_message_pattern rule to the imported branch-protection ruleset 4. Create new org-review-gate ruleset 5. Move markdown_lint enforcement from disabled -> evaluate Cost impact ----------- Free — all ruleset rules are native GitHub features at zero cost on any plan. The markdown_lint workflow runs on Actions; public repos are free, private repos count against the Team-plan free-tier minutes (3000/month GitHub-hosted, $0.002/min self-hosted as of 2026-03-01). No GHAS feature flipped on by this PR. Verification ------------ - tofu init -backend=false and tofu validate -> green - pre-commit run --all-files -> all hooks pass Assisted-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Codifies the pre-Terraform live state of the org-level rulesets and applies the directives from PR #2 / #3 review feedback. Single PR because the
importblocks must land together with the new resources to avoid duplicate ruleset creation on next apply.What lands
New rulesets:
org_branch_protectionrequired_linear_history,required_signatures, branch name pattern, strict Conventional Commits regex, PR thread resolution. No bypass — applies to every actor including OrganizationAdmins.org_review_gatepull_requestmode — any admin merges their own PRs without external review; non-admin actors must obtain it.Existing ruleset reconciled:
markdown_lintupdated to match live state for clean import —ref_name = ~ALL(was~DEFAULT_BRANCH),do_not_enforce_on_create = true. Default enforcement staysevaluate(legacy); live is currentlydisabledso apply moves itdisabled → evaluate. Pass-var markdown_lint_enforcement=activeto flip on.Import blocks:
```hcl
import { to = github_organization_ruleset.org_branch_protection
id = "15555419" } # was "main"
import { to = github_organization_ruleset.markdown_lint
id = "17062292" } # was "Required Workflows - All Branches"
```
Directive answers
org_review_gate.pull_request(closest GitHub supports — rulesets have no per-author conditional rules)required_review_thread_resolution = truein both rulesetsrequired_signatures = trueinorg_branch_protection, no bypasscommit_message_patternblock with regex^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test)(\([a-z0-9\\-]+\))?(!)?: .+\$required_linear_history = trueinorg_branch_protection, no bypassCODEOWNERS deliberately not in this PR
An earlier commit attempt added
.github/CODEOWNERSwith an owner login baked in. That violates the no-identities-in-code rule the PR also codifies in AGENTS.md. CODEOWNERS files for every dryvist repo (this one included) land in a follow-up PR viagithub_repository_filewith the owner identity supplied as a Terraform variable — the repo source tree stays identity-free.Conventions added to AGENTS.md
providers.tfowner — no usernames, account logins, email addresses, or person-tied identifiers in any source file. CODEOWNERS materialized at apply time from a variable.Cost impact
Free. All ruleset rules are native GitHub features at zero cost on any plan. The
markdown_lintworkflow runs on Actions; public repos are unlimited free, private repos count against the Team-plan free tier (3000 min/month GitHub-hosted; $0.002/min self-hosted on private as of 2026-03-01). No GHAS feature flipped on by this PR.Apply (requires
gh-claude-org-admin)```bash
gh-claude-org-admin
tofu init -backend-config=...
tofu apply
```
Apply will:
org-branch-protection/org-markdown-lintcommit_message_patternrule to the imported branch-protection rulesetorg-review-gaterulesetmarkdown_lintenforcement fromdisabled→evaluateTest plan