Conversation
…on (Aaron 2026-05-01 authorized) Aaron 2026-05-01 *"full permission here except no budget plus i'm sure you'll keep your good disciplines"* — drift-debt has been blocking github-settings-drift.yml CI on every PR + push to main since 2026-04-29 (task #343). Regenerating expected snapshot to match current host state, with explicit per-class receipt below. Five drift classes resolved: 1. **Ruleset rule removed: code_quality** (severity: all) - Status: intentional per task #343 (2026-04-29) - Drift-debt receipt was filed but snapshot wasn't refreshed at the time; this commit closes that gap 2. **Branch protection: required_status_checks.strict true → false** - Status: intentional (parallel-PR-friendly merging — eases this session's 5-PR convergence cluster from sequential rebase-thrashing each other) - When `strict: true`, every merged PR forces all sibling PRs to rebase before they can merge, which compounds at scale. `strict: false` lets sibling PRs merge without forced rebases against latest main. 3. **Workflows added to actions list** (CodeQL, Copilot cloud agent, backlog-index-integrity, budget-snapshot-cadence, memory-index-integrity, memory-reference-existence-lint, resume-diff, scorecard) - Status: natural — workflows exist in `.github/workflows/` already; they just hadn't fired yet at snapshot time (GitHub's actions/workflows API lists only those with at least one run) 4. **Environment added: copilot** - Status: natural — Copilot cloud agent enabled, which creates a `copilot` environment automatically - No protection rules attached; matches GitHub default 5. **CodeQL query_suite: default → extended** - Status: intentional widening of CodeQL coverage (more checks) - Composes with task #340 (codeql per-language source-presence gate landed) and the broader security-as-substrate framing Out of scope for this commit (filing-worthy as separate work): - **Ruleset-splitting refactor** — Aaron's reminder to keep "good disciplines like splitting rulesets so you could have all always on but multiple smaller rulesets" describes an architectural goal not yet executed. Currently only one `Default` ruleset exists; splitting into multiple smaller always-on rulesets is separate larger work, not bundled here.
There was a problem hiding this comment.
Pull request overview
Refreshes the repository’s checked-in GitHub settings snapshot to match the current live GitHub host configuration, unblocking the github-settings-drift CI check that compares “expected” vs “live”.
Changes:
- Removed the
code_qualityruleset rule from the expected snapshot. - Updated default-branch protection to
required_status_checks.strict: false. - Added newly observed workflows/environments to the expected snapshot and updated CodeQL default setup
query_suitetoextended.
…apshot determinism fix (PR #1126 review thread) copilot-pull-request-reviewer P1: workflows list contains two entries with the same `.name` ("CodeQL") but different `.path`s. `snapshot-github-settings.sh` sorted by `.name` only, so ties could produce nondeterministic ordering when GitHub's API returned them in varying order — causing flaky drift diffs. Fix: sort_by(.name, .path) gives a stable secondary key. Re-snapshotted expected.json with the new sort; diff verifies no drift. Resolves thread PRRT_kwDOSF9kNM5_AuTU on PR #1126.
AceHack
deleted the
drift-debt-snapshot-refresh-aaron-authorized-2026-05-01
branch
AceHack
added a commit
that referenced
this pull request
May 1, 2026
…low + visibility-constraint clarification + B-0154 forward-ref annotation Three substantive fixes: 1. **Line-leading `+` on continuation** (MD004 lint, recursive irony from B-0153's class 1) — reflowed "+ tick-history-order" to "and tick-history-order" so the continuation doesn't read as a nested bullet. 2. **Visibility-constraint memory reference** — referenced filename doesn't exist in repo (rule is referenced PROSEFULLY in MEMORY.md + multiple memory files but never landed as its own dedicated memory file). Replaced broken pointer with prose acknowledgement + verbatim Aaron 2026-04-28 quote, and noted the rule is referenced-not-yet-filed. 3. **B-0154 depends_on forward-ref** — annotated as "(forward-ref to PR #1125 not yet merged on main)" so the DAG semantics are explicit. Threads PRRT_kwDOSF9kNM5_Awkw + PRRT_kwDOSF9kNM5_AwlS (about "Current state" inconsistency with snapshot showing code_quality + strict:true) are now stale — post-rebase, this branch reflects post-PR-#1126 state which matches the row content. Resolving those without code change.
AceHack
added a commit
that referenced
this pull request
May 1, 2026
…e preferred (Aaron 2026-05-01) (#1127) * backlog(B-0155): GitHub settings refactor — ruleset split + git-native preferred (Aaron 2026-05-01) Aaron 2026-05-01: *"the settings that are there are accidental complexity not intentional, we want best practices and to prefer the git native settings over the legacy github ui/cli only settings, these are nasty thats why they are legacy"* + earlier *"splitting rulesets so you could have all always on but multiple smaller rulesets"*. Three composing directives captured: 1. Treat current settings as accidental complexity (not load-bearing) 2. Split single big ruleset → three concern-aligned smaller always-on rulesets (Branch integrity / Review process / CI gate) 3. Prefer git-native (declarative-in-tree + ruleset-as-code) over legacy UI/CLI-only branch-protection settings Phase plan: audit + design, split implementation, branch-protection cleanup, documentation. Reconciliation script (tools/hygiene/apply-github-settings.sh) as mechanization candidate that makes click-ops drift structurally impossible. depends_on: B-0154 (sibling host-config refactor work). * docs(github-settings): B-0155 Phase 1 audit + migration matrix + three-ruleset target shape Phase 1 deliverable for B-0155 — audit-only, no host changes yet. Captures: 1. Migration matrix — every legacy branch-protection field mapped to its ruleset rule equivalent (or "no equivalent, keep in legacy") so future maintainers + the reconciliation script (Phase 2) have a ground-truth reference for what migrates and what stays. 2. Three-ruleset target shape — Branch integrity / Review process / CI gate. Each concern-aligned, all always-on, smaller blast-radius per Aaron's "splitting rulesets so you could have all always on but multiple smaller rulesets" framing. 3. Minimized branch protection — post-migration, only `allow_fork_syncing` (legacy-only) remains in branch protection. Everything else moves to rulesets where rule equivalents exist. 4. Git-native rationale — captures Aaron's "these are nasty thats why they are legacy" framing + the reconciliation script direction that closes the loop on click-ops drift. 5. Reconciliation script vision — `tools/hygiene/apply-github-settings.sh` as the third verb (alongside snapshot + check) that makes drift structurally impossible. Audit-only commit; Phase 2 (snapshot edit + reconciliation script + apply) is a separate PR after this row's audit lands. * backlog(B-0155): address PR #1127 review threads — line-leading + reflow + visibility-constraint clarification + B-0154 forward-ref annotation Three substantive fixes: 1. **Line-leading `+` on continuation** (MD004 lint, recursive irony from B-0153's class 1) — reflowed "+ tick-history-order" to "and tick-history-order" so the continuation doesn't read as a nested bullet. 2. **Visibility-constraint memory reference** — referenced filename doesn't exist in repo (rule is referenced PROSEFULLY in MEMORY.md + multiple memory files but never landed as its own dedicated memory file). Replaced broken pointer with prose acknowledgement + verbatim Aaron 2026-04-28 quote, and noted the rule is referenced-not-yet-filed. 3. **B-0154 depends_on forward-ref** — annotated as "(forward-ref to PR #1125 not yet merged on main)" so the DAG semantics are explicit. Threads PRRT_kwDOSF9kNM5_Awkw + PRRT_kwDOSF9kNM5_AwlS (about "Current state" inconsistency with snapshot showing code_quality + strict:true) are now stale — post-rebase, this branch reflects post-PR-#1126 state which matches the row content. Resolving those without code change. * backlog(B-0155): strict:false confirmed deliberate (Aaron 2026-05-01) — graduates from accidental to canonical Aaron 2026-05-01: *"no we want false"* + *"yes that is not accidentally"* — explicit confirmation that `required_status_checks.strict: false` is the intentional design choice, not accidental complexity. Sharpens the everything-greenfield rule: the DEFAULT prior at week-one is "configs are accidental candidates," but specific configs can graduate to confirmed-deliberate via direct maintainer signal. `strict: false` is one such confirmed- deliberate setting (parallel-PR-friendly cadence is the architecture). Composes with feedback_everything_greenfield_at_week_one's cause-attribution refinement (the click-vs-decision discipline; Aaron just made the click-then-decision graduation explicit for this specific setting).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Aaron 2026-05-01 "full permission here except no budget plus i'm sure you'll keep your good disciplines" — drift-debt has been blocking `github-settings-drift.yml` CI on every PR + push to main since 2026-04-29 (task #343).
Refreshes `tools/hygiene/github-settings.expected.json` to match current host state, with explicit per-class receipt of every diff.
Drift classes resolved
Out of scope (separate larger work)
Test plan
🤖 Generated with Claude Code