docs(governance): enforce release-branch protected flow#7
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates repository governance documentation and adds a GitHub Actions gate to enforce a protected release-branch promotion flow into master.
Changes:
- Document a
develop(integration) →release/*(stabilization) →master(stable) branch and release process, including protected-branch behavior. - Add guidance in
AGENTS.mdto prohibit direct pushes to protected branches even for admins/automation. - Introduce a workflow that fails PRs into
masterunless the source branch isrelease/*.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
docs/doctrine/repo-management.md |
Updates branch model/release process docs; adds protected-branch and hotfix guidance. |
AGENTS.md |
Adds explicit “no direct pushes to protected branches” guidance for contributors/automation. |
.github/workflows/ci-master-promotion.yml |
Adds a CI check enforcing release/* as the only allowed PR source into master. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - `git tag -d vX.Y` | ||
| - `git tag -s vX.Y -m "Release vX.Y" <release-commit>` | ||
| - `git push --force origin vX.Y` |
There was a problem hiding this comment.
Release process steps 7–9 use vX.Y.Z, but step 10 still uses vX.Y in the tag delete/recreate commands. This is inconsistent with the rest of the section and would lead readers to run the wrong commands; update step 10 to use the same vX.Y.Z placeholder throughout (including the force-push line).
| - `git tag -d vX.Y` | |
| - `git tag -s vX.Y -m "Release vX.Y" <release-commit>` | |
| - `git push --force origin vX.Y` | |
| - `git tag -d vX.Y.Z` | |
| - `git tag -s vX.Y.Z -m "Release vX.Y.Z" <release-commit>` | |
| - `git push --force origin vX.Y.Z` |
| on: | ||
| pull_request_target: | ||
| branches: | ||
| - master |
There was a problem hiding this comment.
This workflow uses pull_request_target but does not set explicit permissions. On pull_request_target, GITHUB_TOKEN is granted repository-scoped permissions by default, which is unnecessary for this check (it only reads event metadata) and increases blast radius if the workflow is ever extended. Add an explicit minimal permissions block (e.g., empty or read-only) at the workflow or job level.
Summary