From 7c8bfb011d5355133fe571f60ed90c025d176dc7 Mon Sep 17 00:00:00 2001 From: Baptiste LAFOURCADE Date: Wed, 1 Jul 2026 21:33:31 +0200 Subject: [PATCH 1/3] chore(framework): require one review on next Codify the review requirement on the `next` integration branch: bump `.github/rulesets/next.json` to one required approval and update GOVERNANCE.md, which previously documented "no required review". The live ruleset already enforces this; this brings the source file and the governance doc back in sync with it. Trades a little batch velocity for a review gate on non-bypass PRs; the release bot and the admin team keep their existing bypass. Co-Authored-By: Claude Opus 4.8 --- .github/rulesets/next.json | 2 +- GOVERNANCE.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/rulesets/next.json b/.github/rulesets/next.json index 74a98815..146c93a0 100644 --- a/.github/rulesets/next.json +++ b/.github/rulesets/next.json @@ -16,7 +16,7 @@ { "type": "pull_request", "parameters": { - "required_approving_review_count": 0, + "required_approving_review_count": 1, "dismiss_stale_reviews_on_push": false, "require_code_owner_review": false, "require_last_push_approval": false, diff --git a/GOVERNANCE.md b/GOVERNANCE.md index 066d6b5e..a8e7cee6 100644 --- a/GOVERNANCE.md +++ b/GOVERNANCE.md @@ -84,9 +84,9 @@ a PR with ≥1 Habilité (CODEOWNERS) approval, passing checks (`lefthook form: [`.github/rulesets/main.json`](.github/rulesets/main.json) (enforced once the repo is public / on a paid plan). -`next` is the integration branch: PRs and passing checks, no direct push or -deletion, but no required review so the week's work batches quickly. The release -bot bypasses to push the automated back-merge. Machine-readable form: +`next` is the integration branch: PRs with ≥1 review and passing checks, no +direct push or deletion. The release bot bypasses to push the automated +back-merge, and the `admin` team may merge without a second review. Machine-readable form: [`.github/rulesets/next.json`](.github/rulesets/next.json). The release flow is in [`RELEASE.md`](RELEASE.md). From a52188734c2c6822bfc3f59ee45d3c12400ca300 Mon Sep 17 00:00:00 2001 From: Baptiste LAFOURCADE Date: Wed, 1 Jul 2026 21:36:32 +0200 Subject: [PATCH 2/3] docs(framework): sync release-flow docs with reality Three doc/reality gaps found while auditing the promote/back-merge flow: - MAINTAINERS said the Release PR merges with "no admin needed"; CI actually auto-merges it `--squash --admin` (a plain merge is refused even for the bypass App). Corrected to match ci.yml. - Documented that head branches are not auto-deleted (`delete_branch_on_merge: false`), so `next` survives the promote and the back-merge never hits a missing branch. - Added the recovery step when `next` is somehow missing: recreate it from `main` before resyncing. Co-Authored-By: Claude Opus 4.8 --- docs/MAINTAINERS.md | 8 +++++--- docs/RELEASE.md | 3 ++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/MAINTAINERS.md b/docs/MAINTAINERS.md index 06b0dc8a..cd9f71e7 100644 --- a/docs/MAINTAINERS.md +++ b/docs/MAINTAINERS.md @@ -86,8 +86,8 @@ Dependabot labels its PRs `dependencies` only (ecosystem sub-labels were dropped release-please opens/updates a `chore: release main` PR on each push to `main`. -1. Review the version bumps + changelog in the release PR (it is authored by the **aidd-bot** App, so its checks run normally). -2. Merge it: `gh pr merge --squash`. No admin needed - the App is a ruleset bypass actor, so its PRs merge once checks pass. +1. (Optional) Review the version bumps + changelog. The PR is authored by the **aidd-bot** App, so its checks run normally. +2. CI **auto-merges** it with the App token (`--squash --admin`); no human step is needed. `--admin` is required because a plain `gh pr merge` is refused even for the bypass App. 3. CI tags each bumped package, creates the GitHub Releases, and attaches the bundles: - `aidd-framework-marketplace-X.Y.Z.zip` (`.claude-plugin/` + `plugins/`) - `-vX.Y.Z.zip` @@ -109,7 +109,9 @@ Two bypass actors (both `pull_request` mode, so neither can push directly to `ma The App: ID in secret `AIDD_BOT_APP_ID`, key in `AIDD_BOT_PRIVATE_KEY`. If the App is broken/uninstalled, release and Dependabot PRs stop merging - fix the App rather than re-adding an admin bypass. -To change protection, edit `.github/rulesets/main.json`, then apply it live: +Head branches are **not** auto-deleted on merge (`delete_branch_on_merge: false`): the promote PR merges `next` into `main` without deleting `next`, so the back-merge that realigns `next` afterwards never hits a missing branch. Do not re-enable the setting. + +To change protection, edit `.github/rulesets/main.json` (or `next.json`), then apply it live: ```bash gh api -X PUT repos/ai-driven-dev/framework/rulesets/ --input .github/rulesets/main.json ``` diff --git a/docs/RELEASE.md b/docs/RELEASE.md index bc0d0fe3..77ca16d4 100644 --- a/docs/RELEASE.md +++ b/docs/RELEASE.md @@ -57,4 +57,5 @@ ruleset). After each release it either realigns `next` onto `main` (when `next` holds no unreleased work, the normal case) or keeps a merge (when it does), so the rebase-promote hash drift never accumulates. If it ever cannot push, it opens an issue labelled `back-merge-failed`; resync by opening a `main -> next` -PR. +PR. If `next` is missing entirely (it must not be — head branches are not +auto-deleted), recreate it from `main` first: `git push origin main:next`. From 364cf2d4d9f7cf293aa35ee692c9e1ced98c1aef Mon Sep 17 00:00:00 2001 From: Baptiste LAFOURCADE Date: Wed, 1 Jul 2026 22:18:42 +0200 Subject: [PATCH 3/3] ci(framework): bump the framework-build CLI pin to 5.0.2 The per-tool release archives were built with a pinned `@ai-driven-dev/cli@4.6.1`, a full major behind the published 5.0.2. Verified across all 9 matrix cells: 5.0.2 builds every target, and the only output change is a fix. In marketplace mode (claude/cursor/copilot), 4.6.1 collapsed aidd-dev's `plugin.json` `agents` from the source's explicit file list (`./agents/executor.md`, `./agents/checker.md`) down to a bare `./agents` directory; 5.0.2 preserves the explicit files, matching the source. The flat targets and codex are byte-identical between the two versions. v5 refuses to build when `--out` is absent; the step already `mkdir -p`s it, so the bump is safe. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 356729c1..62c66e5a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -157,7 +157,7 @@ jobs: # path contains the other. Stage under RUNNER_TEMP, not the repo tree. OUT="${RUNNER_TEMP}/dist/${{ matrix.tool }}/${{ matrix.mode }}" mkdir -p "$OUT" - npx --yes @ai-driven-dev/cli@4.6.1 framework build \ + npx --yes @ai-driven-dev/cli@5.0.2 framework build \ --source . --target ${{ matrix.tool }} --out "$OUT" ${{ matrix.flag }} STAGE="$(mktemp -d)/${NAME}" mkdir -p "$STAGE"