Skip to content

Split release tag rulesets#68

Open
kiwidream wants to merge 1 commit into
mainfrom
release-tag-ruleset-split
Open

Split release tag rulesets#68
kiwidream wants to merge 1 commit into
mainfrom
release-tag-ruleset-split

Conversation

@kiwidream

@kiwidream kiwidream commented Jul 3, 2026

Copy link
Copy Markdown
Member

Summary

Split the v* release tag ruleset into separate creation and immutability templates. Release maintainers can bypass tag creation through the release-maintainers team, while tag updates and deletions stay limited to organization admins.

Updated the public branch and ruleset model to document the split rulesets, the release-maintainers team ID, and the migration path for replacing the old combined live ruleset.

Testing

  • Built locally.
  • Ran focused unit or functional tests for the changed area.
  • Ran lint or formatting checks relevant to this change.
  • Not run. Reason: Build and unit/functional tests were not run because this is a GitHub metadata and process-docs-only change.

Validation run:

jq empty .github/rulesets/*.json .github/repository-settings/*.json
git diff --check origin/main...HEAD
python3 ci/checks/classify_merge_profile.py --changed-files <(git diff --name-only origin/main...HEAD) --require-profile github-metadata

Target Branch

  • This PR targets main or a maintainer-requested release branch such as 0.1.x.

Risk / Review Notes

  • Consensus, script, crypto, wallet, P2P, release, CI, or security-sensitive behavior changed.
  • No consensus, script, crypto, wallet, P2P, release, CI, or security-sensitive behavior changed.

Notes: Release tag governance changes only. The PR does not change node runtime behavior.

Docs / Process Impact

Choose exactly one:

  • I updated public docs because this PR changes user-visible behavior, integration guidance, release/process guidance, or expected validation.
  • No public docs update needed. Reason:

libbitcoinpqc Subtree Checklist (if src/libbitcoinpqc changed)

  • Source commit is reachable from an immutable release tag in Qbit-Org/qbit-libbitcoinpqc.
  • qbit imports the tagged upstream tree directly without pruning or a curated subtree branch.
  • Subtree import/update was performed with contrib/devtools/update-libbitcoinpqc-subtree.sh.
  • test/lint/libbitcoinpqc-subtree-check.sh passes locally.
  • Any default tag change in contrib/devtools/update-libbitcoinpqc-subtree.sh is intentional and matches doc/subtrees/libbitcoinpqc.md.

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.


Note

Medium Risk
Changes release tag access control on GitHub; misapplied rulesets could block releases or leave tags mutable, but node runtime is unaffected.

Overview
Release tag governance is split from one combined v* ruleset into two templates: creation and immutability.

The new creation ruleset lets organization admins and the release-maintainers team (team ID 18321137) create refs/tags/v* tags. The immutability ruleset keeps update and deletion restricted to organization admins only—release maintainers are explicitly not bypass actors there, so they cannot rewrite or remove tags after creation.

public-branch-and-rulesets.md documents the two-template model, the break-glass path for tag fixes (org admin only), and migration steps to replace the old combined live ruleset, including verifying the release-maintainers team ID before apply.

Reviewed by Cursor Bugbot for commit 2806130. Bugbot is set up for automated code reviews on this repo. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant