chore: enforce peer-reviewed PRs on main, release/*, point/*#621
Open
yurii-vasyliev wants to merge 7 commits into
Open
chore: enforce peer-reviewed PRs on main, release/*, point/*#621yurii-vasyliev wants to merge 7 commits into
yurii-vasyliev wants to merge 7 commits into
Conversation
Add CODEOWNERS so reviews from @canonical/landscape-ui can be required by GitHub's branch ruleset, and check in the ruleset definition itself as version-controlled documented information (ISO 9001 §7.5). The JSON file does not apply itself; see .github/rulesets/README.md for the gh CLI commands a repo admin runs to push it to GitHub. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Match the live state exported from canonical/landscape-ui so the file is
a faithful ISO 9001 §7.5 record. Changes:
- Name follows the GitHub label ("Protected release branches").
- Adds copilot_code_review rule (review_on_push: true).
- Drops the unused changeset-release/** exclude — those branches don't
match release/* or point/* anyway.
- Status-check contexts use the fully-qualified
"<workflow name> / <job id>" form GitHub displays in the Checks tab.
- required_review_thread_resolution: false to match live.
- README documents the deployed ruleset id and a diff command to verify
the committed JSON keeps matching reality.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds version-controlled GitHub governance configuration so protected branches can require peer-reviewed, code-owner-approved changes with documented ruleset management.
Changes:
- Adds a repository-wide CODEOWNERS rule for
@canonical/landscape-ui. - Adds a protected-branches ruleset JSON for
main,release/*, andpoint/*. - Documents how to apply, inspect, and diff the ruleset.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
.github/CODEOWNERS |
Defines the default code owner for all paths. |
.github/rulesets/protected-branches.json |
Adds the branch ruleset enforcing reviews, signed commits, linear history, and required checks. |
.github/rulesets/README.md |
Documents ruleset operations and required status-check mappings. |
ethanashaw
previously approved these changes
May 14, 2026
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
.github/rulesets/protected-branches.json:50
- These required test check contexts do not match the current PR test workflow name in
.github/workflows/run-tests-and-tics.yml(Run tests and TICS report). Because required status checks are matched by their emitted context, the configuredTests + TICS on PRs / ...checks will not be produced unless the workflow name or these contexts are updated consistently.
{ "context": "Tests + TICS on PRs / unit-tests" },
{ "context": "Tests + TICS on PRs / e2e-tests" },
Contributor
TICS Quality Gate✔️ PassedNo changed files applicable for TICS analysis quality gating. Run-tests-and-TICS-report / tics-report / TICS report |
Agent-Logs-Url: https://github.com/canonical/landscape-ui/sessions/61aeaa95-f6a0-4557-a4d6-9506462b0bd0 Co-authored-by: yurii-vasyliev <113896226+yurii-vasyliev@users.noreply.github.com>
Address Copilot review feedback on PR #621: - protected-branches.json: replace fully-qualified status-check contexts (e.g. "Lint & format / eslint") with the bare check_run.name GitHub Actions actually posts (ESLint, unit-tests, e2e-tests (saas), etc.), pinned to integration_id 15368. The previous values could never match any emitted check and would have left protected PRs unmergeable. - protected-branches.json: restore branch scope to main, release/*, and point/* — the JSON now matches the deployed ruleset (16386358) exactly, so the diff command in the README produces a clean output. - README.md: rewrite the "Required status checks" guidance to describe how contexts actually match (bare name + integration_id), refresh the context-to-job mapping table, and fix the diff command (._links, not .links; also strips bypass_actors so [] vs null doesn't noise the diff). - lint.yml, run-tests-and-tics.yml, changeset-check.yml: extend pull_request.branches to include release/* and point/* so the required checks actually report on PRs into those protected branches. Without this, the ruleset blocks merges forever waiting on checks that never run. changeset-check.yml narrows release/** to release/* to match the ruleset; no existing release/point branch uses nested segments.
The committed JSON never auto-applied — every change needed a manual PUT
to the rulesets API, which left committed source and live config drifting
apart and was the root cause of every Copilot review comment on this PR.
GitHub's built-in ruleset version history in the UI now covers the audit
trail this folder was created for, so the manual-sync ceremony is no
longer worth the friction.
If a version-controlled record is needed later, the live ruleset can be
exported back with:
gh api /repos/canonical/landscape-ui/rulesets/16386358 \
| jq 'del(.id, .source, .source_type, .created_at, .updated_at,
.node_id, .current_user_can_bypass, ._links)' \
> .github/rulesets/protected-branches.json
ethanashaw
approved these changes
May 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Landscape's quality management commits us to peer-reviewed code changes — the requirement comes from ISO 9001 §8.3.4 (design & development controls) and §7.5 (documented information for change control), plus ISO/IEC 27001 A.8.32 (change management) and A.8.28 (secure coding). Until now
landscape-uihad no enforced PR / review gate at the GitHub layer, so the control existed only as convention.The branch ruleset that supplies the gate (id
16386358) is already deployed oncanonical/landscape-uiand managed in the GitHub UI — the UI now carries its own version history, which is sufficient for the audit trail. This PR adds the two repo-level pieces the ruleset needs to actually work on every protected branch.What this PR does
.github/CODEOWNERS@canonical/landscape-ui, which lets the branch ruleset require review from a Code Owner..github/workflows/lint.yml,run-tests-and-tics.yml,changeset-check.ymlpull_request.branchesto includerelease/*andpoint/*so the required status checks actually fire on PRs into those protected branches. Without this, PRs targeting release/point would be blocked forever waiting on checks that never report.An earlier revision of this PR also committed
protected-branches.json+ a README under.github/rulesets/as the ISO 9001 §7.5 artifact, but the manual sync between committed JSON and the live ruleset turned into a constant source of drift (every Copilot review thread on this PR traces back to that). GitHub's built-in ruleset version history now covers the audit-trail need without the friction; if a version-controlled snapshot is ever required, it can be re-exported withgh api .../rulesets/16386358 | jq ....What the live ruleset enforces (FYI, managed in the UI, not part of this PR)
Applies to
main,release/*, andpoint/*:@canonical/landscape-ui(Code Owner review required, stale approvals dismissed on new pushes, last-push approval required).integration_id: 15368(GitHub Actions):ESLint,Prettier,Stylelintunit-tests,e2e-tests (saas),e2e-tests (self-hosted)verifychangeset-release/*branches are unaffected because they don't matchrelease/*orpoint/*(different prefix segments), so the Changesets bot keeps working without an explicit exclusion.Test plan
@canonical/landscape-uicovering*.mainand confirm it can't merge without an approval from a@canonical/landscape-uimember.release/26.04and confirmESLint/Prettier/Stylelint/unit-tests/e2e-tests (saas)/e2e-tests (self-hosted)/verifyall run and block merge until they pass.point/*branch and confirm the same checks run.release/1.23.1and confirm it's rejected.changeset-release/*still merges normally.Follow-ups (out of scope)
release/*andpoint/*warrant a stricter gate (e.g. 2 approvals), layer a second ruleset targeting just those patterns rather than tightening the shared one.