diff --git a/scripts/compliance-audit.sh b/scripts/compliance-audit.sh index 381dd1f..60288d0 100755 --- a/scripts/compliance-audit.sh +++ b/scripts/compliance-audit.sh @@ -37,10 +37,11 @@ REQUIRED_WORKFLOWS=(ci.yml codeql.yml sonarcloud.yml claude.yml dependabot-autom REQUIRED_LABELS=(security dependencies scorecard bug enhancement documentation) REQUIRED_SETTINGS_BOOL=( - "allow_auto_merge:true:Allow auto-merge must be enabled for Dependabot workflow" - "delete_branch_on_merge:true:Automatically delete head branches must be enabled" - "has_wiki:false:Wiki should be disabled — documentation lives in the repo" - "has_issues:true:Issue tracking must be enabled" + "allow_auto_merge:true:warning:Allow auto-merge must be enabled for Dependabot workflow" + "delete_branch_on_merge:true:warning:Automatically delete head branches must be enabled" + "has_wiki:false:warning:Wiki should be disabled — documentation lives in the repo" + "has_issues:true:error:Issue tracking must be enabled" + "has_discussions:true:error:Discussions must be enabled for ideation and community engagement" ) # --------------------------------------------------------------------------- @@ -124,6 +125,9 @@ detect_ecosystems() { if echo "$tree" | grep -qE '\.github/workflows/.*\.yml$'; then ECOSYSTEMS+=("github-actions") fi + if echo "$tree" | grep -qE '(^|/)_bmad/'; then + ECOSYSTEMS+=("bmad-method") + fi } # --------------------------------------------------------------------------- @@ -139,6 +143,15 @@ check_required_workflows() { "standards/ci-standards.md#required-workflows" fi done + + # Conditional: bmad-method repos must have feature-ideation workflow + if [[ " ${ECOSYSTEMS[*]} " == *" bmad-method "* ]]; then + if ! gh_api "repos/$ORG/$repo/contents/.github/workflows/feature-ideation.yml" --jq '.name' > /dev/null 2>&1; then + add_finding "$repo" "ci-workflows" "missing-feature-ideation.yml" "error" \ + "BMAD Method repo must have \`feature-ideation.yml\` workflow for automated ideation" \ + "standards/ci-standards.md#8-feature-ideation-feature-ideationyml-bmad-method-repos" + fi + fi } # --------------------------------------------------------------------------- @@ -257,11 +270,11 @@ check_repo_settings() { # Boolean settings checks for entry in "${REQUIRED_SETTINGS_BOOL[@]}"; do - IFS=':' read -r key expected detail <<< "$entry" + IFS=':' read -r key expected severity detail <<< "$entry" local actual actual=$(echo "$settings" | jq -r ".$key // \"null\"") if [ "$actual" != "$expected" ]; then - add_finding "$repo" "settings" "$key" "warning" \ + add_finding "$repo" "settings" "$key" "$severity" \ "$detail (current: \`$actual\`, expected: \`$expected\`)" \ "standards/github-settings.md#repository-settings--standard-defaults" fi @@ -276,14 +289,6 @@ check_repo_settings() { "standards/github-settings.md#general" fi - # Discussions - local has_discussions - has_discussions=$(echo "$settings" | jq -r '.has_discussions') - if [ "$has_discussions" != "true" ]; then - add_finding "$repo" "settings" "has-discussions" "warning" \ - "Discussions should be enabled for community engagement" \ - "standards/github-settings.md#general" - fi } # --------------------------------------------------------------------------- diff --git a/standards/ci-standards.md b/standards/ci-standards.md index 57b58cd..7aceb10 100644 --- a/standards/ci-standards.md +++ b/standards/ci-standards.md @@ -219,6 +219,35 @@ See [`workflows/agent-shield.yml`](workflows/agent-shield.yml) and the --- +## Conditional Workflows + +These workflows are required only when a specific ecosystem is detected. + +### 8. Feature Ideation (`feature-ideation.yml`) — BMAD Method repos + +**Condition:** Repository contains a `_bmad/` directory (BMAD Method installed). + +Scheduled weekly workflow that uses Claude Code Action as the BMAD Analyst +(Mary) to research market trends, analyze project signals, and create per-idea +Discussion threads in the **Ideas** category. Each proposal is a separate +Discussion, updated by subsequent runs as the market and project evolve. + +| Setting | Value | +|---------|-------| +| **Schedule** | Weekly (recommended: Friday early morning) | +| **Output** | GitHub Discussions in the Ideas category | +| **Inputs** | `focus_area` (optional), `research_depth` (quick/standard/deep) | +| **Permissions** | `contents: read`, `discussions: write`, `id-token: write` | +| **Required secrets** | `CLAUDE_CODE_OAUTH_TOKEN` (org-level) | + +**Prerequisite:** Discussions must be enabled with an "Ideas" category +(see [Discussions Configuration](github-settings.md#discussions-configuration)). + +See the [TalkTerm implementation](https://github.com/petry-projects/TalkTerm/blob/main/.github/workflows/feature-ideation.yml) +as the reference template. + +--- + ## Workflow Patterns by Tech Stack ### TypeScript / Node.js (npm) diff --git a/standards/github-settings.md b/standards/github-settings.md index e16e94d..ef8507f 100644 --- a/standards/github-settings.md +++ b/standards/github-settings.md @@ -31,7 +31,7 @@ SHOULD be audited and brought into compliance. | **Has Issues** | `true` | Issue tracking enabled on all repos | | **Has Projects** | `true` | Currently enabled on all repos | | **Has Wiki** | `false` | Disabled — documentation lives in the repo | -| **Has Discussions** | `true` | Enabled for community engagement | +| **Has Discussions** | `true` | **Required** — enables Discussions for ideation, feedback, and community engagement (see [Discussions Configuration](#discussions-configuration)) | ### Merge Settings @@ -51,6 +51,54 @@ SHOULD be audited and brought into compliance. --- +## Discussions Configuration + +GitHub Discussions MUST be enabled on all repositories. Discussions serve as the +durable, threaded home for feature ideation, design proposals, and community +feedback — distinct from Issues (which track actionable work). + +### Required Discussion Categories + +All repositories MUST have the following categories configured: + +| Category | Format | Emoji | Description | +|----------|--------|-------|-------------| +| **Ideas** | Open-ended | `💡` | Feature proposals, ideation threads, and innovation exploration | +| **General** | Open-ended | `💬` | General project discussions and questions | + +Additional categories MAY be added per project needs (e.g., "Q&A", "Show and Tell", +"Polls"). The two above are the required minimum. + +### Automated Ideation Workflow + +Repositories with the [BMAD Method](https://github.com/bmad-code-org/BMAD-METHOD) +installed (`_bmad/` directory) MUST have the `feature-ideation.yml` workflow, +which uses the **Ideas** category to post and maintain feature proposal +Discussions. Each proposal is a separate Discussion thread, updated by subsequent +workflow runs as market signals and project context evolve. See +[CI Standards § Feature Ideation](ci-standards.md#8-feature-ideation-feature-ideationyml-bmad-method-repos) +for requirements. + +### Setup + +To enable and configure Discussions on an existing repository: + +```bash +# Enable Discussions +gh api -X PATCH repos// -f has_discussions=true + +# Discussion categories are managed via the GitHub UI: +# Settings → General → Features → Discussions → Set up discussions +# Or via GraphQL after initial setup. +``` + +> **Note:** Discussion categories cannot currently be created via the REST API. +> Use the GitHub UI or GraphQL `createDiscussionCategory` mutation. The compliance +> audit checks that Discussions are enabled; category configuration is verified +> manually during onboarding. + +--- + ## Repository Rulesets Rulesets are the primary enforcement mechanism for branch policies. All @@ -106,6 +154,7 @@ in the relevant checks: | `pyproject.toml` / `requirements.txt` | `python` | Python analysis | pytest, coverage | `pip-audit` | | `.github/workflows/*.yml` | `actions` | — | — | — | | `*.tf` (Terraform) | — | — | `terraform validate` | Dependabot security updates | +| `_bmad/` (BMAD Method) | — | — | `feature-ideation.yml` (weekly) | — | Multi-language repos (e.g., TypeScript + Go) MUST configure all applicable ecosystems in each check.