feat: add pr-quality ruleset support to apply-rulesets.sh#80
Conversation
Adds build_pr_quality_ruleset_json() function and updates apply_rulesets() to create/update the pr-quality ruleset on each repo, per the standard defined in standards/github-settings.md. Ruleset enforces: - 1 required approving review - Dismiss stale reviews on push - Require code owner review - Require last push approval - All review threads resolved before merge - Linear history (squash-only merges) - No force pushes, no branch deletion Bypass actors: OrganizationAdmin (always), dependabot-automerge-petry (pull_request). Also removes stale TODO note from standards/github-settings.md about pr-quality support being missing from the script. Closes #48 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 14 minutes and 26 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds support to manage a pr-quality repository ruleset via scripts/apply-rulesets.sh, aligning automated ruleset application with the documented GitHub settings standard.
Changes:
- Added
build_pr_quality_ruleset_json()to generate thepr-qualityruleset payload. - Updated
apply_rulesets()to create/update thepr-qualityruleset alongsidecode-quality. - Updated the standards doc to reflect that both rulesets are now applied via the script.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| standards/github-settings.md | Updates guidance to reflect that apply-rulesets.sh now applies both pr-quality and code-quality. |
| scripts/apply-rulesets.sh | Adds JSON payload builder and create/update logic for the new pr-quality ruleset. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| bypass_actors: [ | ||
| { | ||
| actor_id: 0, | ||
| actor_type: "OrganizationAdmin", | ||
| bypass_mode: "always" | ||
| }, | ||
| { | ||
| actor_id: 3167543, | ||
| actor_type: "Integration", | ||
| bypass_mode: "pull_request" | ||
| } |
There was a problem hiding this comment.
The bypass actor for the Integration is hard-coded to actor_id=3167543, which is brittle (IDs can differ across orgs/enterprise instances and are hard to validate/recover if changed). To make the script reliably applicable across repos/environments, resolve the integration ID dynamically (e.g., via GitHub API lookup by slug/name) or accept it as a configurable input (env var/flag) and fail with a clear message if it can’t be resolved.
| local pr_quality_id | ||
| pr_quality_id=$(echo "$existing_rulesets" | jq -r '.[] | select(.name == "pr-quality") | .id' 2>/dev/null || echo "") | ||
|
|
There was a problem hiding this comment.
If multiple rulesets with the same name exist, this jq expression can return multiple IDs (newline-separated), which would produce an invalid endpoint in the subsequent PUT request. Consider constraining this to a single ID (e.g., selecting the first match) and optionally detecting/reporting duplicates explicitly so the script behaves deterministically.
| local pr_quality_id | |
| pr_quality_id=$(echo "$existing_rulesets" | jq -r '.[] | select(.name == "pr-quality") | .id' 2>/dev/null || echo "") | |
| local pr_quality_match_count | |
| pr_quality_match_count=$(echo "$existing_rulesets" | jq -r '[.[] | select(.name == "pr-quality")] | length' 2>/dev/null || echo "0") | |
| local pr_quality_id | |
| pr_quality_id=$(echo "$existing_rulesets" | jq -r '[.[] | select(.name == "pr-quality") | .id][0] // empty' 2>/dev/null || echo "") | |
| if [ "$pr_quality_match_count" -gt 1 ]; then | |
| err " Found multiple pr-quality rulesets for $ORG/$repo; refusing to continue because the target ruleset is ambiguous" | |
| return 1 | |
| fi |
| required_review_thread_resolution: true | ||
| } | ||
| }, | ||
| { type: "required_linear_history" }, |
There was a problem hiding this comment.
The PR description states 'Linear history (squash-only)'. The required_linear_history ruleset enforces no merge commits (linear history) but does not enforce 'squash-only' specifically (rebases can still yield a linear history depending on repo merge settings). Either adjust the wording in the PR description/standards to 'linear history' or add/ensure separate repo settings enforcement for allowed merge methods if 'squash-only' is required.
|
CI is green ✅ — all checks pass (Lint, ShellCheck, CodeQL, SonarCloud, Agent Security Scan). Copilot left 3 inline comments but its review state is COMMENTED (not CHANGES_REQUESTED). No blockers. @don-petry — ready for your review and merge. After merging, run the script with an admin token to create the ruleset and resolve the compliance finding: GH_TOKEN=<admin-token> ./scripts/apply-rulesets.sh .github |
Summary
build_pr_quality_ruleset_json()toscripts/apply-rulesets.shthat builds the standardpr-qualityruleset payload perstandards/github-settings.mdapply_rulesets()to create/update thepr-qualityruleset on each target repo alongsidecode-qualitystandards/github-settings.mdabout this gapRuleset configuration:
~DEFAULT_BRANCH)required_linear_historyrule)Usage — apply with an admin token after merging:
The compliance finding won't close until the ruleset is actually created on the repo by running the script with an admin token.
Closes #48
Generated with Claude Code