Add CI workflow and main-branch ruleset definition

lionuncle · claude · lionuncle · commit 51c52bb5011d · 2026-04-09T22:08:07.000+05:00
Sets up everything needed to protect main once the repo flips to public.

CI workflow (.github/workflows/ci.yml) runs on every PR:
- python (3.9-3.12) — verifies cli.py imports + editable install works
  on every supported Python version. Catches the 3.9 PEP 604 regression
  the audit pass fixed and any future drift.
- version-sync — verifies pyproject.toml, npm/package.json, and
  src/rpr/__init__.py agree.
- json-lint — validates examples/config.json and npm/package.json.
- shellcheck — lints install.sh, scripts/bump.sh, and the new
  setup-branch-protection.sh.
- npm-pack — exercises the npm prepack hook to make sure the package
  still builds.

Branch protection (scripts/setup-branch-protection.sh) is an idempotent
script that creates or updates a repository ruleset enforcing:
- No deletion or force-push to main
- Linear history (squash/rebase merges only)
- All changes through pull request, conversations resolved
- All eight CI checks must pass before merge
- Org admins (dedev-llc maintainers) may bypass in an emergency

GitHub gates rulesets behind a paid plan for private repos on the free
tier — verified by testing both 'gh api branches/main/protection' and
'gh api rulesets', both 403 with 'Upgrade to GitHub Pro'. So the script
can't run today; it's staged for the maintainer to invoke once the repo
goes public. CONTRIBUTING.md has the one-line instructions.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,105 @@
+name: ci
+
+# Runs on every PR targeting main, plus pushes to main itself. The job names
+# below are referenced by name in scripts/setup-branch-protection.sh — if you
+# rename a job, update the ruleset script too.
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  python:
+    name: python (${{ matrix.python-version }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.9", "3.10", "3.11", "3.12"]
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Verify cli.py imports and --help works
+        run: python src/rpr/cli.py --help > /dev/null
+
+      - name: Editable install + module entry point
+        run: |
+          pip install -e .
+          python -c "import rpr; print('rpr', rpr.__version__)"
+          rpr --help > /dev/null
+          python -m rpr --help > /dev/null
+
+  version-sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Verify pyproject.toml, npm/package.json and __init__.py agree
+        run: |
+          set -euo pipefail
+          py_version=$(python3 -c 'import tomllib; print(tomllib.load(open("pyproject.toml","rb"))["project"]["version"])')
+          npm_version=$(node -p "require('./npm/package.json').version")
+          init_version=$(python3 -c 'import re,pathlib; m=re.search(r"__version__\s*=\s*\"([^\"]+)\"", pathlib.Path("src/rpr/__init__.py").read_text()); print(m.group(1) if m else "MISSING")')
+
+          echo "pyproject.toml      = $py_version"
+          echo "npm/package.json    = $npm_version"
+          echo "src/rpr/__init__.py = $init_version"
+
+          if [ "$py_version" != "$npm_version" ] || [ "$py_version" != "$init_version" ]; then
+            echo "::error::Version mismatch — use scripts/bump.sh to update all three files in lockstep"
+            exit 1
+          fi
+
+  json-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Validate JSON files
+        run: |
+          set -euo pipefail
+          for f in examples/config.json npm/package.json; do
+            python3 -c "import json,sys; json.load(open('$f'))"
+            echo "ok: $f"
+          done
+
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run shellcheck on shell scripts
+        run: |
+          set -euo pipefail
+          sudo apt-get update -qq && sudo apt-get install -y -qq shellcheck
+          shellcheck install.sh scripts/bump.sh scripts/setup-branch-protection.sh
+
+  npm-pack:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+      - name: npm pack --dry-run (exercises prepack hook)
+        working-directory: npm
+        run: npm pack --dry-run
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -81,6 +81,25 @@ gh pr create --fill            # review, merge — workflow publishes to PyPI, n
 
 The workflow's preflight check fails fast if the three version files drift, so always use `scripts/bump.sh` rather than editing them by hand. See the **Publishing** section of [README.md](README.md#publishing-maintainer-notes) for the secrets and one-time setup the workflow depends on.
 
+## Branch protection (maintainers only)
+
+The `main` branch is protected by a ruleset defined in [`scripts/setup-branch-protection.sh`](scripts/setup-branch-protection.sh). The ruleset enforces:
+
+- No deletion of `main`, no force-pushes
+- Linear history (squash or rebase merges only)
+- All changes go through a pull request
+- All CI checks in [`.github/workflows/ci.yml`](.github/workflows/ci.yml) must pass before merge
+- Conversations resolved before merge
+- Org admins (i.e. maintainers) may bypass in an emergency
+
+GitHub gates rulesets behind a paid plan for **private** repos. While the repo is private, the script can't apply the ruleset (CI still runs on PRs, but the rules aren't enforced). After flipping the repo to public:
+
+```bash
+scripts/setup-branch-protection.sh
+```
+
+The script is idempotent — re-run it any time you add or remove CI jobs (just update the `REQUIRED_CHECKS` array first).
+
 ## Questions
 
 Open an issue with the `question` label, or start a discussion if discussions are enabled on the repo.
diff --git a/scripts/setup-branch-protection.sh b/scripts/setup-branch-protection.sh
@@ -0,0 +1,128 @@
+#!/usr/bin/env bash
+# setup-branch-protection.sh — apply the main-branch ruleset to dedev-llc/rpr.
+#
+# Idempotent: re-running updates the existing ruleset rather than duplicating.
+#
+# WHEN TO RUN:
+#   - After flipping the repo from private → public (rulesets are paywalled
+#     on private repos with the free GitHub plan).
+#   - After adding/removing CI checks in .github/workflows/ci.yml — update
+#     the REQUIRED_CHECKS array below to match the new job names.
+#
+# REQUIREMENTS:
+#   - gh CLI authenticated as a dedev-llc org admin
+#   - The CI workflow (.github/workflows/ci.yml) must already exist on main,
+#     otherwise the required status checks will block all PRs forever (no run
+#     can ever produce them).
+#
+# WHAT THE RULESET ENFORCES:
+#   - No deletion of main
+#   - No force pushes (non-fast-forward) to main
+#   - Linear history (no merge commits inside PRs — squash/rebase only)
+#   - All changes go through a pull request
+#   - PR conversations must be resolved before merge
+#   - Stale review approvals are dismissed when new commits are pushed
+#   - All required CI checks must pass before merge
+#   - Org admins can bypass in an emergency (configurable below)
+
+set -euo pipefail
+
+REPO="dedev-llc/rpr"
+RULESET_NAME="main-protection"
+
+# Required CI status check job names — must match the `name:` (or job key when
+# no name is set) of the jobs in .github/workflows/ci.yml. For matrix jobs,
+# include each variant explicitly.
+REQUIRED_CHECKS=(
+  "python (3.9)"
+  "python (3.10)"
+  "python (3.11)"
+  "python (3.12)"
+  "version-sync"
+  "json-lint"
+  "shellcheck"
+  "npm-pack"
+)
+
+# Build the JSON array of required status checks.
+contexts_json=$(printf '%s\n' "${REQUIRED_CHECKS[@]}" \
+  | python3 -c '
+import json, sys
+checks = [{"context": line.strip()} for line in sys.stdin if line.strip()]
+print(json.dumps(checks))
+')
+
+# Build the full ruleset payload. Heredoc + envsubst-style substitution would
+# be cleaner but we want zero dependencies — using python for JSON assembly.
+ruleset_json=$(CONTEXTS="$contexts_json" python3 - <<'PY'
+import json, os
+payload = {
+    "name": "main-protection",
+    "target": "branch",
+    "enforcement": "active",
+    "conditions": {
+        "ref_name": {
+            "include": ["~DEFAULT_BRANCH"],
+            "exclude": [],
+        }
+    },
+    "rules": [
+        {"type": "deletion"},
+        {"type": "non_fast_forward"},
+        {"type": "required_linear_history"},
+        {
+            "type": "pull_request",
+            "parameters": {
+                "required_approving_review_count": 0,
+                "dismiss_stale_reviews_on_push": True,
+                "require_code_owner_review": False,
+                "require_last_push_approval": False,
+                "required_review_thread_resolution": True,
+                "allowed_merge_methods": ["squash", "rebase"],
+            },
+        },
+        {
+            "type": "required_status_checks",
+            "parameters": {
+                "strict_required_status_checks_policy": False,
+                "required_status_checks": json.loads(os.environ["CONTEXTS"]),
+            },
+        },
+    ],
+    "bypass_actors": [
+        # OrganizationAdmin = anyone with org admin role on dedev-llc.
+        # bypass_mode "always" means they can bypass without going through
+        # the normal flow (e.g. emergency direct push). Change to "pull_request"
+        # to require admins to still go through a PR but skip the checks.
+        {
+            "actor_id": 1,
+            "actor_type": "OrganizationAdmin",
+            "bypass_mode": "always",
+        }
+    ],
+}
+print(json.dumps(payload, indent=2))
+PY
+)
+
+echo "Target repo:   $REPO"
+echo "Ruleset name:  $RULESET_NAME"
+echo "Required checks:"
+printf '  - %s\n' "${REQUIRED_CHECKS[@]}"
+echo
+
+# Look for an existing ruleset with the same name.
+existing_id=$(gh api "repos/$REPO/rulesets" --jq ".[] | select(.name == \"$RULESET_NAME\") | .id" 2>/dev/null || true)
+
+if [ -n "$existing_id" ]; then
+  echo "Updating existing ruleset (id=$existing_id)..."
+  printf '%s' "$ruleset_json" | gh api -X PUT "repos/$REPO/rulesets/$existing_id" --input - > /dev/null
+  echo "✓ Ruleset updated"
+else
+  echo "Creating new ruleset..."
+  printf '%s' "$ruleset_json" | gh api -X POST "repos/$REPO/rulesets" --input - > /dev/null
+  echo "✓ Ruleset created"
+fi
+
+echo
+echo "View at: https://github.com/$REPO/rules"
