chore(framework): require review on next + sync release-flow docs#382
Conversation
Codify the review requirement on the `next` integration branch: bump `.github/rulesets/next.json` to one required approval and update GOVERNANCE.md, which previously documented "no required review". The live ruleset already enforces this; this brings the source file and the governance doc back in sync with it. Trades a little batch velocity for a review gate on non-bypass PRs; the release bot and the admin team keep their existing bypass. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Three doc/reality gaps found while auditing the promote/back-merge flow: - MAINTAINERS said the Release PR merges with "no admin needed"; CI actually auto-merges it `--squash --admin` (a plain merge is refused even for the bypass App). Corrected to match ci.yml. - Documented that head branches are not auto-deleted (`delete_branch_on_merge: false`), so `next` survives the promote and the back-merge never hits a missing branch. - Added the recovery step when `next` is somehow missing: recreate it from `main` before resyncing. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b28de6b414
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "type": "pull_request", | ||
| "parameters": { | ||
| "required_approving_review_count": 0, | ||
| "required_approving_review_count": 1, |
There was a problem hiding this comment.
Preserve Dependabot's unreviewed auto-merge path
With Dependabot updates targeting next (.github/dependabot.yml lines 8 and 21), this new required approval blocks the non-major dependency flow in .github/workflows/dependabot-auto-merge.yml lines 28-30: that job only runs gh pr merge --auto --squash, and GitHub documents that auto-merge completes only when all required reviews and checks are met (https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request). Since the maintainer guide says patch/minor Dependabot PRs auto-merge once checks pass, these PRs will now sit waiting for a human approval unless the workflow is changed to do an explicit bypass merge after checks or the review requirement is exempted for that bot path.
Useful? React with 👍 / 👎.
Codifies the review requirement on
next:next.json→ 1 approval + GOVERNANCE.md updated (was "no required review"). The live ruleset already enforces 1; this resyncs the source file and doc with it, per the MAINTAINERS 'keep file and live ruleset in sync' rule.Release bot (App, always-bypass) and admin team keep their bypass, so automation and lead-maintainer self-merge are unaffected.
🤖 Generated with Claude Code