Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.
This repository was archived by the owner on May 29, 2026. It is now read-only.

Allow CI bot to push auto-generated files (.coverage-baseline, SBOM) to ruleset-protected branches #61

Description

@rubenvdlinde

Problem

The shared quality.yml workflow's update-baseline job (and, if/when we start committing SBOMs back, a similar SBOM-commit step) runs on push to main/development, regenerates .coverage-baseline, commits it as github-actions[bot], and git pushes. On any repo whose development/main branch is covered by the org rulesets (1–2 required reviews), that push is rejected:

remote: error: GH013: Repository rule violations found for refs/heads/development.
error: failed to push some refs to 'https://github.com/ConductionNL/<app>'

So the job fails ⇒ the whole "Code Quality" workflow goes red, even though every actual quality gate passed. Currently visible on ConductionNL/procest (which has enable-coverage-guard: true); it will hit any app that opts into the coverage guard.

Asks

  1. Let the CI bot push the auto-generated convenience files (/.coverage-baseline, and the SBOM file path if we ever start committing it) to development/main without a review, on every app repo.
  2. (Interim, already done in quality.ymlfix(quality): SBOM via package-lock; non-blocking coverage-baseline push #62): the git push in the update-baseline job is now non-blocking — it logs a ::warning:: instead of failing the build. Once (1) is in place that can stay (the warning just won't fire) or be tightened back to a hard failure.

Where / how to configure this

The rulesets are org-level, not per-repo:

  • https://github.com/organizations/ConductionNL/settings/rules → Org Settings → Code, planning, and automationRepository → Rulesets → open the dev ruleset (and beta, main). Each has a "Bypass list" section ("Add bypass").

Wrinkles to be aware of:

  • github-actions[bot] can't be added as a bypass actor directly. Ruleset bypass actors are: repo roles (Admin / Maintain / Write), Teams, Deploy keys, or GitHub Apps. The ${{ github.token }} the workflow uses is github-actions[bot], and it isn't selectable.
  • Bypass is all-or-nothing per actor — you can't scope a bypass actor to "only push /.coverage-baseline". In practice that job only ever pushes that one file, so it's acceptable; but if path-scoping matters, the cleaner option is to have the job open a PR (see option B below).

Option A — dedicated GitHub App as a ruleset bypass actor (recommended)

  1. Create a small GitHub App (e.g. "ConductionNL CI Bot") with Repository permissions → Contents: write (nothing else needed).
  2. Install it on the ConductionNL org for all repos.
  3. In each org ruleset (dev, beta, main) → Bypass listAdd bypass → pick that App.
  4. In quality.yml's update-baseline job: mint a token with actions/create-github-app-token@v1 (app id + private key stored as org secrets), pass it to actions/checkout's token: and use it for the git push. Then the push runs as the App → on the bypass list → succeeds.
  5. Once verified, the git push || echo "::warning::…" fallback can be reverted to a plain git push (the warning becomes dead code) — or kept as a belt-and-suspenders.

Option B — open a PR instead of pushing (no bypass actor)

Change update-baseline to create a branch + PR with the .coverage-baseline change (peter-evans/create-pull-request or gh pr create), optionally auto-merge it. No ruleset change at all; downside is a tiny bit of PR churn whenever coverage moves.

Related

  • Surfaced while getting ConductionNL/procest's CI green (PR #421 et al.).
  • quality.yml interim fix: fix(quality): SBOM via package-lock; non-blocking coverage-baseline push #62 (--package-lock-only for the SBOM step + non-blocking baseline push).
  • Underlying dep-declaration noise feeding the SBOM npm ls errors (e.g. @conduction/nextcloud-vue listing bootstrap-vue as a hard dependency) should be cleaned up at the library level — separate.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions