Problem
scripts/apply-rulesets.sh only knows about claude.yml, sonarcloud.yml, codeql.yml, and ci.yml when building required-status-checks lists. For each it computes <workflow-name> / <job> based on the file's name: header.
Two issues:
- Missing centralized workflows.
agent-shield.yml, dependency-audit.yml, dependabot-automerge.yml, dependabot-rebase.yml, feature-ideation.yml are not handled.
- Wrong claude.yml check name format. The current code builds
Claude Code / claude (using the workflow's display name). GitHub actually composes reusable check names as <caller-job-id> / <reusable-job-id-or-name> — e.g. claude-code / claude. The script's output doesn't match what GitHub actually publishes.
This caused petry-projects/markets#78 and petry-projects/bmad-bgreat-suite#78 to deadlock until rulesets were manually fixed today.
Fix
Replace the existing claude.yml block (lines ~95–103) with a hardcoded list, since Tier 1 stubs all have known fixed caller-job-ids per the canonical templates in standards/workflows/:
# --- Tier 1 centralized workflows: caller-job-ids are fixed by the
# standard templates, so the resulting check names are known constants.
# See standards/ci-standards.md#centralization-tiers
if echo "$workflows" | grep -qx "claude.yml"; then
checks+=("claude-code / claude")
# claude-issue runs only on labeled issues, never on PRs — don't require it
fi
if echo "$workflows" | grep -qx "agent-shield.yml"; then
checks+=("agent-shield / AgentShield")
fi
if echo "$workflows" | grep -qx "dependency-audit.yml"; then
checks+=("dependency-audit / Detect ecosystems")
# Per-ecosystem audit jobs are conditional on lockfile presence;
# don't require them globally — they report SKIPPED when not applicable
fi
# dependabot-automerge / dependabot-rebase are intentionally NOT required
# (they only run on dependabot[bot] PRs / pushes, not regular PRs)Then run apply-rulesets.sh against every petry-projects repo to converge.
Out of scope (file separately if desired)
Updating classic branch protection (gh api repos/<repo>/branches/main/protection) — markets had a stale classic protection in addition to the ruleset, which had to be patched manually today. Worth a separate utility script that converges both classic and ruleset protections.
Related: petry-projects/markets#78, petry-projects/bmad-bgreat-suite#78, #88.
Problem
scripts/apply-rulesets.shonly knows aboutclaude.yml,sonarcloud.yml,codeql.yml, andci.ymlwhen building required-status-checks lists. For each it computes<workflow-name> / <job>based on the file'sname:header.Two issues:
agent-shield.yml,dependency-audit.yml,dependabot-automerge.yml,dependabot-rebase.yml,feature-ideation.ymlare not handled.Claude Code / claude(using the workflow's display name). GitHub actually composes reusable check names as<caller-job-id> / <reusable-job-id-or-name>— e.g.claude-code / claude. The script's output doesn't match what GitHub actually publishes.This caused petry-projects/markets#78 and petry-projects/bmad-bgreat-suite#78 to deadlock until rulesets were manually fixed today.
Fix
Replace the existing claude.yml block (lines ~95–103) with a hardcoded list, since Tier 1 stubs all have known fixed caller-job-ids per the canonical templates in
standards/workflows/:Then run
apply-rulesets.shagainst every petry-projects repo to converge.Out of scope (file separately if desired)
Updating classic branch protection (
gh api repos/<repo>/branches/main/protection) — markets had a stale classic protection in addition to the ruleset, which had to be patched manually today. Worth a separate utility script that converges both classic and ruleset protections.Related: petry-projects/markets#78, petry-projects/bmad-bgreat-suite#78, #88.