chore: promote next to main#384
Conversation
Codify the review requirement on the `next` integration branch: bump `.github/rulesets/next.json` to one required approval and update GOVERNANCE.md, which previously documented "no required review". The live ruleset already enforces this; this brings the source file and the governance doc back in sync with it. Trades a little batch velocity for a review gate on non-bypass PRs; the release bot and the admin team keep their existing bypass. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Three doc/reality gaps found while auditing the promote/back-merge flow: - MAINTAINERS said the Release PR merges with "no admin needed"; CI actually auto-merges it `--squash --admin` (a plain merge is refused even for the bypass App). Corrected to match ci.yml. - Documented that head branches are not auto-deleted (`delete_branch_on_merge: false`), so `next` survives the promote and the back-merge never hits a missing branch. - Added the recovery step when `next` is somehow missing: recreate it from `main` before resyncing. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The per-tool release archives were built with a pinned `@ai-driven-dev/cli@4.6.1`, a full major behind the published 5.0.2. Verified across all 9 matrix cells: 5.0.2 builds every target, and the only output change is a fix. In marketplace mode (claude/cursor/copilot), 4.6.1 collapsed aidd-dev's `plugin.json` `agents` from the source's explicit file list (`./agents/executor.md`, `./agents/checker.md`) down to a bare `./agents` directory; 5.0.2 preserves the explicit files, matching the source. The flat targets and codex are byte-identical between the two versions. v5 refuses to build when `--out` is absent; the step already `mkdir -p`s it, so the bump is safe. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 364cf2d4d9
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| To change protection, edit `.github/rulesets/main.json`, then apply it live: | ||
| Head branches are **not** auto-deleted on merge (`delete_branch_on_merge: false`): the promote PR merges `next` into `main` without deleting `next`, so the back-merge that realigns `next` afterwards never hits a missing branch. Do not re-enable the setting. | ||
|
|
||
| To change protection, edit `.github/rulesets/main.json` (or `next.json`), then apply it live: |
There was a problem hiding this comment.
Use the matching ruleset file when applying next protection
When the change is to next.json, this new parenthetical tells maintainers to use the same apply block, but the block still uploads .github/rulesets/main.json. If they substitute the next ruleset id while following this guidance, GitHub receives the main ruleset payload, including the refs/heads/main condition, for the next ruleset and next is left without the intended protection; please split the commands or make the file/id placeholders match.
Useful? React with 👍 / 👎.
| "type": "pull_request", | ||
| "parameters": { | ||
| "required_approving_review_count": 0, | ||
| "required_approving_review_count": 1, |
There was a problem hiding this comment.
Preserve Dependabot auto-merge when requiring reviews
For non-major Dependabot PRs targeting next, .github/workflows/dependabot-auto-merge.yml only runs gh pr merge --auto --squash; the upstream gh pr merge manual says --auto merges only after necessary requirements are met, while --admin is the flag for merging despite unmet requirements. With this line adding a required approval and no workflow step that approves the PR, those patch/minor dependency PRs will now wait for a human review instead of auto-merging once checks pass, so either keep Dependabot exempt/approved or use an explicit bypass path for that workflow.
Useful? React with 👍 / 👎.
Automated promotion of
nexttomain. Merged by rebase to preserve conventional commits for release-please. Do not squash.