Skip to content

Add governance-sentinel workflow (hardening Q6)#1

Merged
MSD21091969 merged 1 commit into
mainfrom
hardening/q6-governance-sentinel
Jul 7, 2026
Merged

Add governance-sentinel workflow (hardening Q6)#1
MSD21091969 merged 1 commit into
mainfrom
hardening/q6-governance-sentinel

Conversation

@MSD21091969

Copy link
Copy Markdown
Contributor

Adds a scheduled governance-sentinel workflow (hardening Q6).

What it does: every Monday 06:00 UTC (and on demand) it verifies the default-branch protection ruleset (hardening Q2: non_fast_forward + deletion block) is still active; if it's gone, it opens an alert issue. A failed run also emails the owner, so the check failing is itself a signal.

Scope / honest limits: uses only this repo's GITHUB_TOKEN (no cross-repo secret). Covers force-push + deletion protection loss on the default branch. Not covered — org member-change and audit-log alerting — needs an org webhook / audit-log API (GitHub Team/Enterprise) or a PAT with admin:org; documented in dev/reference/github-org-operations.md §Q6.

authored-by: agent:claude-cowork.hp-z440 / session:sam.z440-cowork-workspace / t248-hardening-close

authored-by: agent:claude-cowork.hp-z440 / session:sam.z440-cowork-workspace / t248-hardening-close
Copilot AI review requested due to automatic review settings July 7, 2026 02:10

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new scheduled/on-demand GitHub Actions workflow intended to detect “governance drift” by verifying that default-branch protection (force-push + deletion blocking via rulesets) remains enforced, and opening an alert issue if not.

Changes:

  • Introduces a governance-sentinel workflow scheduled weekly (Mondays 06:00 UTC) plus manual dispatch.
  • Uses gh api to inspect repository rulesets and creates an issue when protections appear missing.
  • Sets minimal permissions (administration: read, issues: write) for the sentinel behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +44 to +50
for id in $(echo "$rulesets" | jq -r '.[] | select(.enforcement=="active" and .target=="branch") | .id'); do
rules=$(gh api "repos/$REPO/rulesets/$id" --jq '[.rules[].type] | sort | join(",")')
echo "active branch ruleset $id -> rules: $rules"
if echo "$rules" | grep -q "non_fast_forward" && echo "$rules" | grep -q "deletion"; then
ok=1
fi
done
Comment on lines +8 to +11
# NOT covered here (GitHub Free + this repo token has no admin:org): org
# member-change and audit-log alerting — those need an org-level webhook or the
# audit-log API (GitHub Team/Enterprise) or a PAT with admin:org. See
# dev/reference/github-org-operations.md §Q6 for the documented remainder.

**Expected:** an active \`branch\`-target ruleset carrying \`non_fast_forward\` + \`deletion\` rules on \`$DEFAULT_BRANCH\`.

**Action:** re-apply per \`dev/reference/github-org-operations.md\` §Q2, or close this issue if the change was intentional.
@MSD21091969 MSD21091969 merged commit 357b0f2 into main Jul 7, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants