docs: add GitHub repository settings standards

[don-petry]

Summary

• Documents standard org and repo-level GitHub configurations based on an audit of all petry-projects repositories
• Covers branch protection rules, repository rulesets (pr-quality), merge settings, required integrations, standard labels, and a new-repo onboarding checklist
• References existing Dependabot policy and links to CI standards (companion PR)

What's Documented

• Organization settings — default permissions, Dependabot security
• Repository defaults — branch naming, visibility, features (issues/wiki/projects), merge strategy
• Branch protection — required reviews, status checks by repo, admin enforcement
• Rulesets — pr-quality (squash-only, thread resolution), protect-branches (google-app-scripts)
• Integrations — CodeRabbit, Copilot, SonarCloud, CodeQL, Dependabot
• Labels — standard label set for all repos
• New repo checklist — step-by-step onboarding guide
• Audit & compliance — OpenSSF Scorecard weekly scans

Test plan

• Review settings against actual repo configurations via gh api
• Verify all referenced files and links resolve correctly
• Confirm new-repo checklist is complete and actionable

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Added a comprehensive GitHub standards document defining org and repository defaults (permissions, default branch, visibility, feature toggles), required branch-protection rulesets and mandatory quality checks, required integrations and organization secrets for automation, standardized label set, ecosystem-specific guidance, a checklist for applying standards, a table of compliance deviations, and a weekly automated scorecard audit workflow.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds standards/github-settings.md, a new document that defines organization- and repository-level GitHub configuration: org defaults, repository defaults, two required rulesets (pr-quality, code-quality), ecosystem-specific checks, required apps/secrets, label set, onboarding checklist, compliance deviations, and a Scorecard audit workflow. (34 words)

Changes

Cohort / File(s)	Summary
GitHub Standards Documentation standards/github-settings.md	New organizational policy document detailing org defaults (permissions, default branch, 2FA, repo creation), repo defaults (visibility, features, merge settings), two required rulesets (pr-quality, code-quality with ecosystem-specific checks), mandated GitHub Apps and org secrets, standard labels, onboarding checklist, compliance deviations, and the weekly OpenSSF Scorecard audit workflow.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• docs: document branch protection rules, rulesets, and auto-merge policy #7: Adds/documents the same org-level pr-quality branch-protection ruleset (required reviews, thread resolution, squash-only merges, no force-push/delete).

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'docs: add GitHub repository settings standards' directly and clearly describes the main change: adding documentation for GitHub settings standards.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/github-settings-standards

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds an organization-wide documentation standard describing expected GitHub organization/repository settings for the petry-projects org, based on an audit, to help keep repos consistent and compliant.

Changes:

• Introduces a new standards document covering org settings, repo defaults, branch protection, rulesets, integrations, labels, and new-repo onboarding.
• Documents OpenSSF Scorecard audit/compliance workflow expectations and links to related policies.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@standards/github-settings.md`:
- Around line 111-114: The "Stricter review settings" row in the
protect-branches ruleset is too vague—update the documentation to list the
concrete enforcement details: specify the exact review requirements (e.g.,
number of required approvals), whether dismissing stale reviews is enabled, if
specific reviewers or CODEOWNERS/teams are required, whether status checks must
pass, and any push or merge restrictions beyond "CodeQL required" (e.g., require
linear history, require signed commits, restrict who can push). Reference the
table entries "Code scanning enforcement: CodeQL required" and "Stricter review
settings" and replace the generic phrase with the specific values for approvals,
required reviewers/teams, required status checks, and any other branch
protection rules.
- Around line 38-48: The explanatory note about why merge commits and rebase are
enabled despite squash-only enforcement is placed after the table and can
confuse readers; update the table rows for "**Allow merge commits**" and
"**Allow rebase merging**" to include a short inline rationale (e.g., "Enabled
but restricted by pr-quality ruleset") in their Rationale column, or move the
explanatory paragraph so it appears immediately after those rows (before the
squash settings) to provide context earlier and avoid confusion.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 606f858b-4b01-4796-adb8-30586822b464

📥 Commits

Reviewing files that changed from the base of the PR and between 79d2c36 and 4abf125.

📒 Files selected for processing (1)

• standards/github-settings.md

[don-petry]

Review: docs: add GitHub repository settings standards

Content is thorough and well-structured — covers org-level settings, repo defaults, branch protection, rulesets, installed apps, labels, and compliance deviations.

Findings

1. Cross-link dependency: Two relative links reference ci-standards.md (added by PR #11). These will be broken if #10 merges before #11. Recommend merging #11 first, or merging both in quick succession.

2. CodeRabbit nitpicks (unaddressed but non-blocking):

   • Note about manual repo cleanup could be positioned closer to the relevant section
   • Minor vague description in deviation table

3. No substantive content issues found. The compliance deviation matrix and new-repo checklist are practical additions.

CI: All passing (Analyze, CodeQL, CodeRabbit)

Verdict: Ready for human approval. Consider merging after or alongside PR #11 to avoid broken cross-links.

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@standards/github-settings.md`:
- Around line 141-150: The onboarding checklist currently only requires
`security` and `dependencies`; update it to require the full standard label set
defined earlier by adding `scorecard`, `bug`, `enhancement`, and `documentation`
alongside `security` and `dependencies` so new-repo setup matches the labels
table (`security`, `dependencies`, `scorecard`, `bug`, `enhancement`,
`documentation`) and remove any drift between the checklist and the documented
standard.
- Line 16: Update the table row for the "Two-factor requirement" entry so it is
set to required/enabled instead of Disabled: change the second column value from
"Disabled" to "Required" (or "Enabled"), and if this is a temporary exception
add a new note in the third column with an owner and expiration date; modify the
surrounding explanatory text to reflect org-wide 2FA as a baseline security
requirement rather than optional.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c4cd1cfc-fa11-4feb-a359-992f6584e04d

📥 Commits

Reviewing files that changed from the base of the PR and between 4abf125 and 01bdc1f.

📒 Files selected for processing (1)

• standards/github-settings.md

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@standards/github-settings.md`:
- Line 141: Resolve the RFC-style wording conflict by making the requirement
consistent: replace the phrase "All repositories SHOULD have these labels
available:" and the onboarding instruction "create the full standard set during
onboarding" so both use the same level (prefer "MUST"); update both occurrences
to "MUST" and ensure any checklist or onboarding step reflects that change and
uses the same imperative wording everywhere to remove ambiguity.
- Line 12: Update the Default repository permission table row: change the value
from `write` to `read` and update the accompanying description text (the row
with "**Default repository permission**" and the value "`write`") to say members
get read access by default, with write/admin access granted via teams as needed
to enforce least privilege.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0631c30e-5844-4ece-8bfc-c3f20b4bca36

📥 Commits

Reviewing files that changed from the base of the PR and between 01bdc1f and d2374ed.

📒 Files selected for processing (1)

• standards/github-settings.md

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@standards/github-settings.md`:
- Line 120: Two links labeled "CI Standards" currently point to ci-standards.md
(which was removed and moved to PR `#11`); update both occurrences so they don't
point to a dead file: replace the hrefs that reference "ci-standards.md" with
the correct new document path in the companion PR or, temporarily, a direct link
to PR `#11` (or add a note pointing to PR `#11`) so the onboarding steps remain
actionable; search for the exact text "CI Standards" and the filename
"ci-standards.md" to locate the two places to change.
- Around line 188-190: The note currently lists CLAUDE_CODE_OAUTH_TOKEN as an
inherited org-level secret while the secrets table only documents APP_ID and
APP_PRIVATE_KEY; either add a new row for CLAUDE_CODE_OAUTH_TOKEN in the secrets
table with its purpose and scope (e.g., "Claude Code OAuth token — org-level,
used for CI/CD/code-assistant integrations") or remove CLAUDE_CODE_OAUTH_TOKEN
from the note so the note and the table are consistent; update the text strings
"CLAUDE_CODE_OAUTH_TOKEN", "APP_ID", and "APP_PRIVATE_KEY" accordingly to keep
the doc consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2ded0d9f-6ad0-4d1e-81dc-6f05bed3aca1

📥 Commits

Reviewing files that changed from the base of the PR and between d2374ed and 60274cf.

📒 Files selected for processing (1)

• standards/github-settings.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@standards/github-settings.md`:
- Line 120: Update the broken link target "ci-standards.md" in the "See [CI
Standards](ci-standards.md) for workflow templates and patterns." line so it
points to the correct resource: either replace the href with the PR reference
(e.g., the PR `#11` URL or the proper path provided by that PR) or ensure the
ci-standards.md file is added to the branch and committed; verify the link
resolves after your change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 56f05f60-85a9-40df-87ad-902c343bdb54

📥 Commits

Reviewing files that changed from the base of the PR and between 60274cf and b232f5d.

📒 Files selected for processing (1)

• standards/github-settings.md