diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..533f535b --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,6 @@ +# Governance ownership for the library-size and policy-delta gate. +# Edits to these paths require maintainer review and are tracked by +# repo-guard's trusted policy boundary. +/repo-policy.json @netkeep80 +/.github/workflows/repo-guard.yml @netkeep80 +/.github/CODEOWNERS @netkeep80 diff --git a/.github/workflows/repo-guard.yml b/.github/workflows/repo-guard.yml index 842dcc5c..60698298 100644 --- a/.github/workflows/repo-guard.yml +++ b/.github/workflows/repo-guard.yml @@ -15,7 +15,7 @@ permissions: jobs: policy-check: - name: repo-guard advisory check + name: repo-guard blocking check runs-on: ubuntu-latest if: github.event_name == 'pull_request' && !github.event.pull_request.draft steps: @@ -25,10 +25,10 @@ jobs: - name: Run repo-guard id: repo_guard - uses: netkeep80/repo-guard@6c81bb1050c7dca93de1a13108e0a024fe095298 + uses: netkeep80/repo-guard@b1b6756639092bbd4ff6a473aeaa637a63475a86 with: mode: check-pr - enforcement: advisory + enforcement: blocking env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/docs/index.md b/docs/index.md index 0a0dca25..edb3b8bb 100644 --- a/docs/index.md +++ b/docs/index.md @@ -10,7 +10,7 @@ Single entry point for PMM documentation. The canonical set below must match | [PMM Target Model](pmm_target_model.md) | Normative top-level model: PMM as compact persistent storage kernel; boundary vs `pjson` / `pjson_db` / execution / product layers | | [PMM Transformation Rules](pmm_transformation_rules.md) | Normative operational rulebook: allowed issue types, atomic-issue / no-mixed-PR / extraction-first / surface-compression rules, PR review semantics | | [Comment Policy](comment_policy.md) | Canonical text discipline for comments, docs placement, and text-surface review | -| [BlockHeader Semantics](block_and_treenode_semantics.md) | Field-level specification of the single physical [BlockHeader](../include/pmm/block_header.h#pmm-blockheader) layout (`Block` is a type alias for `BlockHeader`) | +| [BlockHeader Semantics](block_and_treenode_semantics.md) | Field-level specification of the single physical `BlockHeader` layout (`Block` is a type alias for `BlockHeader`) | | [Architecture](architecture.md) | Layer stack, memory layout, algorithms, storage backends, configuration | | [API Reference](api_reference.md) | Complete public API: lifecycle, allocation, containers, I/O, error codes | | [Validation Model](validation_model.md) | Low-level pointer and block validation: cheap vs full modes, conversion paths, error categories | diff --git a/repo-policy.json b/repo-policy.json index 3489fcfa..2a930154 100644 --- a/repo-policy.json +++ b/repo-policy.json @@ -2,7 +2,7 @@ "policy_format_version": "0.3.0", "repository_kind": "library", "enforcement": { - "mode": "advisory" + "mode": "blocking" }, "paths": { "forbidden": [ @@ -33,6 +33,7 @@ "governance_paths": [ "repo-policy.json", "CONTRIBUTING.md", + ".github/CODEOWNERS", ".github/workflows/repo-guard.yml", ".github/workflows/docs-consistency.yml", ".github/PULL_REQUEST_TEMPLATE.md", diff --git a/scripts/check-repo-guard-rollout.sh b/scripts/check-repo-guard-rollout.sh index b72f588a..59bd35cf 100755 --- a/scripts/check-repo-guard-rollout.sh +++ b/scripts/check-repo-guard-rollout.sh @@ -22,11 +22,12 @@ workflow = workflow_path.read_text(encoding="utf-8") policy = json.loads(policy_path.read_text(encoding="utf-8")) issue_template = issue_template_path.read_text(encoding="utf-8") pr_template = pr_template_path.read_text(encoding="utf-8") -expected_action_ref = "6c81bb1050c7dca93de1a13108e0a024fe095298" +expected_action_ref = "b1b6756639092bbd4ff6a473aeaa637a63475a86" expected_action = f"netkeep80/repo-guard@{expected_action_ref}" old_action_refs = { "7ab5ca2f2d9859b4ffa2c423f05e951d4971be84", "99bf716da62c5d01070aa0d7e4d4f8031b43a351", + "6c81bb1050c7dca93de1a13108e0a024fe095298", } expected_profiles = { "governance", @@ -78,7 +79,8 @@ if action_refs: for old_action_ref in old_action_refs: require(old_action_ref not in workflow, f"repo-guard workflow must not use old Action pin {old_action_ref}") require("mode: check-pr" in workflow, "repo-guard workflow must run check-pr mode") -require("enforcement: advisory" in workflow, "repo-guard workflow must remain advisory in this stage") +require("enforcement: blocking" in workflow, "repo-guard workflow must enforce policy in blocking mode") +require("enforcement: advisory" not in workflow, "repo-guard workflow must not run in advisory mode") require("fetch-depth: 0" in workflow, "repo-guard workflow must use full checkout history") require("contents: read" in workflow, "repo-guard workflow must keep contents read-only permission") require("issues: read" in workflow, "repo-guard workflow must keep issues read-only permission") @@ -94,7 +96,7 @@ for forbidden in ( require(forbidden not in workflow, f"repo-guard workflow must not use legacy manual integration pattern: {forbidden}") policy_mode = policy.get("enforcement", {}).get("mode") -require(policy_mode == "advisory", "repo-policy.json must default to advisory enforcement") +require(policy_mode == "blocking", "repo-policy.json must enforce policy in blocking mode") for removed in ("change_classes", "new_file_rules", "change_type_rules"): require(removed not in policy, f"repo-policy.json must not use legacy {removed}")