From 171c44d0981fa890b1b3ccfe8b39f7985aa0a141 Mon Sep 17 00:00:00 2001 From: DJ Date: Wed, 8 Apr 2026 15:41:05 -0700 Subject: [PATCH 1/2] docs(dependabot-policy): App secrets at org level + skip rebase if non-strict MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Three updates to standards/dependabot-policy.md based on findings from the org-wide compliance work in petry-projects/.github#87..96 and petry-projects/ContentTwin#53: 1. APP_ID / APP_PRIVATE_KEY are documented as ORG-LEVEL secrets, not per-repo. The reusable callers use `secrets: inherit` so any repo with a centralized dependabot workflow picks them up automatically from org. Per-repo copies are deprecated drift; rotation should happen once at the org level. 2. dependabot-rebase.yml is now marked OPTIONAL — adopt only when the repo enforces strict required-status-checks. Non-strict repos (e.g. petry-projects/bmad-bgreat-suite) don't need it because PRs that fall behind can merge as-is. Adding the rebase workflow on non-strict repos just produces failure noise from missing app secrets and serves no purpose. 3. The required-status-check guidance now names the canonical reusable check (`dependency-audit / Detect ecosystems`) and warns against requiring per-ecosystem jobs, which report SKIPPED when their lockfile is absent and would fail the gate. Co-Authored-By: Claude Opus 4.6 (1M context) --- standards/dependabot-policy.md | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/standards/dependabot-policy.md b/standards/dependabot-policy.md index 66ad686..4b77fd4 100644 --- a/standards/dependabot-policy.md +++ b/standards/dependabot-policy.md @@ -200,10 +200,25 @@ The workflow fails if any known vulnerability is found, blocking the PR from mer 1. Copy the appropriate `dependabot.yml` template to `.github/dependabot.yml`, adjusting `directory` paths as needed. 2. Add `workflows/dependabot-automerge.yml` to `.github/workflows/`. -3. Add `workflows/dependabot-rebase.yml` to `.github/workflows/`. +3. Add `workflows/dependabot-rebase.yml` to `.github/workflows/` **only if the + repo enforces strict required-status-checks** (i.e., "branches must be up + to date before merging" is on, either via the new ruleset system's + `strict_required_status_checks_policy: true` or classic branch protection's + `required_status_checks.strict: true`). If strict checks are off, the + rebase workflow is unnecessary because Dependabot PRs that fall behind can + merge as-is — adding it just creates churn and failure noise. 4. Add `workflows/dependency-audit.yml` to `.github/workflows/`. -5. Ensure the repository has the GitHub App secrets (`APP_ID`, `APP_PRIVATE_KEY`) - configured for auto-merge and rebase. +5. **GitHub App secrets** — `APP_ID` and `APP_PRIVATE_KEY` are managed at the + **organization level** (`gh secret set --org petry-projects --visibility all`), + not per-repo. Caller stubs use `secrets: inherit` so any repo with at least + one centralized dependabot workflow picks them up automatically. Per-repo + `APP_ID` / `APP_PRIVATE_KEY` settings are deprecated drift — once the org + secrets are confirmed in place, delete any per-repo copies so there's a + single source of truth and rotations propagate everywhere. 6. Create the `security` and `dependencies` labels in the repository if they don't already exist. -7. Add `dependency-audit` as a required status check in branch protection rules. +7. Add `dependency-audit / Detect ecosystems` as a required status check in + branch protection rules. Do **not** require the per-ecosystem audit jobs + (`npm audit`, `govulncheck`, `cargo audit`, `pip-audit`, `pnpm audit`) — + they're conditional on lockfile presence and report `SKIPPED` when absent, + and a required-but-skipped check fails the merge gate. From d3ee2f6290b22cb1ac1731f2d495cbc70582a757 Mon Sep 17 00:00:00 2001 From: DJ Date: Wed, 8 Apr 2026 15:46:32 -0700 Subject: [PATCH 2/2] docs(dependabot-policy): add verification steps before deleting per-repo App secrets CodeRabbit on #97: explain how to confirm org-level secrets exist before deleting per-repo copies. Adds the exact gh CLI command and notes that the dependabot caller stubs must also be confirmed to include 'secrets: inherit' before cleanup, otherwise the workflow falls back to nothing. Co-Authored-By: Claude Opus 4.6 (1M context) --- standards/dependabot-policy.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/standards/dependabot-policy.md b/standards/dependabot-policy.md index 4b77fd4..4a3be07 100644 --- a/standards/dependabot-policy.md +++ b/standards/dependabot-policy.md @@ -215,6 +215,21 @@ The workflow fails if any known vulnerability is found, blocking the PR from mer `APP_ID` / `APP_PRIVATE_KEY` settings are deprecated drift — once the org secrets are confirmed in place, delete any per-repo copies so there's a single source of truth and rotations propagate everywhere. + + **Verify before deleting per-repo copies.** Run + + ```bash + gh secret list --org petry-projects | grep -E '^(APP_ID|APP_PRIVATE_KEY)\s' + ``` + + to confirm both org-level secrets exist with `visibility: all`. Then + confirm the dependabot caller stubs in the target repo include + `secrets: inherit` (they will if copied verbatim from + `standards/workflows/dependabot-automerge.yml` and + `standards/workflows/dependabot-rebase.yml`). Only after both checks + pass should you run `gh secret delete APP_ID --repo ` etc. to + clean up the per-repo copies — otherwise the workflow falls back to + nothing and `gh pr review` calls fail with `Secret APP_ID is required`. 6. Create the `security` and `dependencies` labels in the repository if they don't already exist. 7. Add `dependency-audit / Detect ecosystems` as a required status check in