Split release tag rulesets#68
Open
kiwidream wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Split the
v*release tag ruleset into separate creation and immutability templates. Release maintainers can bypass tag creation through therelease-maintainersteam, while tag updates and deletions stay limited to organization admins.Updated the public branch and ruleset model to document the split rulesets, the
release-maintainersteam ID, and the migration path for replacing the old combined live ruleset.Testing
Validation run:
Target Branch
mainor a maintainer-requested release branch such as0.1.x.Risk / Review Notes
Notes: Release tag governance changes only. The PR does not change node runtime behavior.
Docs / Process Impact
Choose exactly one:
libbitcoinpqc Subtree Checklist (if
src/libbitcoinpqcchanged)Qbit-Org/qbit-libbitcoinpqc.contrib/devtools/update-libbitcoinpqc-subtree.sh.test/lint/libbitcoinpqc-subtree-check.shpasses locally.contrib/devtools/update-libbitcoinpqc-subtree.shis intentional and matchesdoc/subtrees/libbitcoinpqc.md.Need help on this PR? Tag
/codesmithwith what you need. Autofix is disabled.Note
Medium Risk
Changes release tag access control on GitHub; misapplied rulesets could block releases or leave tags mutable, but node runtime is unaffected.
Overview
Release tag governance is split from one combined
v*ruleset into two templates: creation and immutability.The new creation ruleset lets organization admins and the release-maintainers team (team ID
18321137) createrefs/tags/v*tags. The immutability ruleset keeps update and deletion restricted to organization admins only—release maintainers are explicitly not bypass actors there, so they cannot rewrite or remove tags after creation.public-branch-and-rulesets.mddocuments the two-template model, the break-glass path for tag fixes (org admin only), and migration steps to replace the old combined live ruleset, including verifying the release-maintainers team ID before apply.Reviewed by Cursor Bugbot for commit 2806130. Bugbot is set up for automated code reviews on this repo. Configure here.