ci(ospo): add three PR controls + admin emergency bypass#26
Merged
Conversation
OSPO compliance request (deadline 16 June 2026) flagged three missing controls on the main-protection ruleset. Add them now under our own ruleset so the posture is explicit before central enforcement: - dismiss_stale_reviews_on_push: false -> true - require_last_push_approval: false -> true - required_review_thread_resolution: false -> true Per project-owner request, also re-add a narrow bypass actor: - bypass_actors: [] -> RepositoryRole/5 (admin), bypass_mode pull_request This regresses OSPO Control 5 (PR #22 had removed the admin bypass entirely) and is documented in CLAUDE.md as an explicit owner decision. The bypass is pull_request mode only: admins still cannot force-push or delete main, only merge a PR without satisfying the new review/resolution checks during an emergency. Using RepositoryRole/5 (well-known id for the 'admin' role) instead of enumerating Users avoids drift as the admin roster changes (see docs/ospo-admin-demotion-draft.md, an active demotion effort) and avoids the Integration actor type that the SAP-samples org rejected with HTTP 422 in PR #23. Apply order matches PR #22/#23: this PR commits the JSON spec; the gh api PUT to import it server-side runs after merge. If the org rejects RepositoryRole/5 with HTTP 422, the fallback is to ship the three required controls with bypass_actors:[] (the 16 June deadline is binding; bypass is owner preference). Refs: docs/ospo-admin-demotion-draft.md, .github/rulesets/main-protection.json
Contributor
|
I am unable to effectively review this as it is hard to understand what's being stated in the description. It is also difficult to match up anything in the description with what's actually changed in the commits. |
Contributor
Author
@qmacro |
qmacro
approved these changes
Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
OSPO compliance request (deadline 16 June 2026) flagged three missing controls on the
main-protectionruleset. This PR adds them now under our own ruleset so the posture is explicit before central enforcement.Findings addressed
dismiss_stale_reviews_on_push:false→truerequire_last_push_approval:false→truerequired_review_thread_resolution:false→trueBypass actor
Per project-owner request, also re-add a narrow bypass actor:
bypass_actors: []→RepositoryRole/5(admin),bypass_mode: pull_requestThis regresses OSPO Control 5 (PR #22 had removed the admin bypass entirely) and is documented in CLAUDE.md as an explicit owner decision. The bypass is
pull_requestmode only: admins still cannot force-push or deletemain, only merge a PR without satisfying the new review/resolution checks during an emergency. Admins still need 1 approving review (the baselinerequired_approving_review_count: 1has no per-actor override in this ruleset).Using
RepositoryRole/5(well-known id for theadminrole) instead of enumerating Users avoids drift as the admin roster changes (seedocs/ospo-admin-demotion-draft.md, an active demotion effort) and avoids theIntegrationactor type that the SAP-samples org rejected with HTTP 422 in PR #23.Apply order
Matches PR #22 / #23: this PR commits the JSON spec; the
gh api PUTto import it server-side runs after merge. If the org rejectsRepositoryRole/5with HTTP 422, the fallback is to ship the three required controls withbypass_actors: []— the 16 June deadline is binding; bypass is owner preference.Supersedes
Closed #25 (
ospo-branch-protection) which targeted only the bypass and missed the three required controls, and used the broaderbypass_mode: always.Plan
C:/Users/I809764/.claude/plans/dazzling-launching-frost.md