fix(apply-rulesets): use Tier 1 reusable check names

[don-petry]

Closes #91.

scripts/apply-rulesets.sh previously composed claude.yml's required check name as <workflow-display-name> / claude (e.g. Claude Code / claude). GitHub actually publishes reusable check names as <caller-job-id> / <reusable-job-id-or-name> — claude-code / claude. The old format never matched real checks, which is why petry-projects/markets#78 and petry-projects/bmad-bgreat-suite#78 deadlocked yesterday.

Changes

• Drop the legacy claude.yml block from build_required_status_checks.
• Add the centralized workflows that ARE safe to require:
  • agent-shield / AgentShield
  • dependency-audit / Detect ecosystems
• Document why the others (claude-code, per-ecosystem audit jobs, dependabot-*, feature-ideation) are intentionally NOT required.

Test plan

• bash -n and shellcheck clean
• CI on this branch
• After merge, manually run apply-rulesets.sh against each petry-projects repo to converge

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated automated status check requirements to enforce new security and dependency audit workflows.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 51c56cd0-0688-4815-8525-7a413228971f

📥 Commits

Reviewing files that changed from the base of the PR and between 67cb057 and 0094248.

📒 Files selected for processing (1)

• scripts/apply-rulesets.sh

---

📝 Walkthrough

Walkthrough

Modified scripts/apply-rulesets.sh to replace dynamic claude.yml check name generation with hardcoded tier-1 centralized workflow detection. Added support for agent-shield.yml and dependency-audit.yml with fixed check name mappings, and introduced explicit exclusions for non-required checks.

Changes

Cohort / File(s)	Summary
Script logic updates scripts/apply-rulesets.sh	Replaced dynamic claude.yml handling with hardcoded tier-1 workflow mappings: agent-shield.yml → agent-shield / AgentShield, dependency-audit.yml → dependency-audit / Detect ecosystems. Added explicit exclusions for claude-code / claude, dependabot-automerge / dependabot-rebase, and feature-ideation checks to prevent incorrect requirement enforcement.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• compliance-audit: detect stale required-check names in rulesets #92 — Related issue addressing the same required-status-check name mappings (claude, AgentShield, Detect ecosystems) and exclusions for claude-code / claude.

Possibly related PRs

• feat: add AgentShield CI standard and agent-shield.yml workflow template #25 — Updates detect_required_checks to add AgentShield workflow support and adjust Claude-related check exclusions, directly modifying the same required-check logic.
• feat(workflows): pin reusable callers to @v1 and document tier model #88 — Introduces the tier-1 centralized workflow stubs (agent-shield, dependency-audit, claude) that this PR's script updates now formally recognize and configure.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: replacing dynamic claude.yml logic with hardcoded Tier 1 check names following GitHub's correct naming convention.
Linked Issues check	✅ Passed	The changes fully implement all coding requirements from issue #91: correct check name format, handle Tier 1 workflows, document exclusions, and remove legacy logic.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue #91 requirements: fixing check names in detect_required_checks and handling Tier 1 workflows.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/apply-rulesets-tier1-check-names

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Updates the org ruleset application script to require only the Tier 1 reusable workflow checks whose published check contexts are stable and safe to gate merges on, avoiding deadlocks caused by mismatched reusable-workflow check names.

Changes:

• Removes the legacy claude.yml required-check composition logic (workflow display name–based) from required check detection.
• Adds required check contexts for Tier 1 centralized workflows that are safe to require (agent-shield / AgentShield, dependency-audit / Detect ecosystems).
• Documents why other centralized workflows are intentionally not required (e.g., claude-code, conditional per-ecosystem audits, dependabot-* and scheduled workflows).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.