You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The shared quality.yml workflow's update-baseline job (and, if/when we start committing SBOMs back, a similar SBOM-commit step) runs on push to main/development, regenerates .coverage-baseline, commits it as github-actions[bot], and git pushes. On any repo whose development/main branch is covered by the org rulesets (1–2 required reviews), that push is rejected:
remote: error: GH013: Repository rule violations found for refs/heads/development.
error: failed to push some refs to 'https://github.com/ConductionNL/<app>'
So the job fails ⇒ the whole "Code Quality" workflow goes red, even though every actual quality gate passed. Currently visible on ConductionNL/procest (which has enable-coverage-guard: true); it will hit any app that opts into the coverage guard.
Asks
Let the CI bot push the auto-generated convenience files (/.coverage-baseline, and the SBOM file path if we ever start committing it) to development/main without a review, on every app repo.
(Interim, already done in quality.yml — fix(quality): SBOM via package-lock; non-blocking coverage-baseline push #62): the git push in the update-baseline job is now non-blocking — it logs a ::warning:: instead of failing the build. Once (1) is in place that can stay (the warning just won't fire) or be tightened back to a hard failure.
Where / how to configure this
The rulesets are org-level, not per-repo:
https://github.com/organizations/ConductionNL/settings/rules → Org Settings → Code, planning, and automation → Repository → Rulesets → open the dev ruleset (and beta, main). Each has a "Bypass list" section ("Add bypass").
Wrinkles to be aware of:
github-actions[bot] can't be added as a bypass actor directly. Ruleset bypass actors are: repo roles (Admin / Maintain / Write), Teams, Deploy keys, or GitHub Apps. The ${{ github.token }} the workflow uses isgithub-actions[bot], and it isn't selectable.
Bypass is all-or-nothing per actor — you can't scope a bypass actor to "only push /.coverage-baseline". In practice that job only ever pushes that one file, so it's acceptable; but if path-scoping matters, the cleaner option is to have the job open a PR (see option B below).
Option A — dedicated GitHub App as a ruleset bypass actor (recommended)
Create a small GitHub App (e.g. "ConductionNL CI Bot") with Repository permissions → Contents: write (nothing else needed).
Install it on the ConductionNL org for all repos.
In each org ruleset (dev, beta, main) → Bypass list → Add bypass → pick that App.
In quality.yml's update-baseline job: mint a token with actions/create-github-app-token@v1 (app id + private key stored as org secrets), pass it to actions/checkout's token: and use it for the git push. Then the push runs as the App → on the bypass list → succeeds.
Once verified, the git push || echo "::warning::…" fallback can be reverted to a plain git push (the warning becomes dead code) — or kept as a belt-and-suspenders.
Option B — open a PR instead of pushing (no bypass actor)
Change update-baseline to create a branch + PR with the .coverage-baseline change (peter-evans/create-pull-request or gh pr create), optionally auto-merge it. No ruleset change at all; downside is a tiny bit of PR churn whenever coverage moves.
Related
Surfaced while getting ConductionNL/procest's CI green (PR #421 et al.).
Underlying dep-declaration noise feeding the SBOM npm ls errors (e.g. @conduction/nextcloud-vue listing bootstrap-vue as a hard dependency) should be cleaned up at the library level — separate.
Problem
The shared
quality.ymlworkflow'supdate-baselinejob (and, if/when we start committing SBOMs back, a similar SBOM-commit step) runs on push tomain/development, regenerates.coverage-baseline, commits it asgithub-actions[bot], andgit pushes. On any repo whosedevelopment/mainbranch is covered by the org rulesets (1–2 required reviews), that push is rejected:So the job fails ⇒ the whole "Code Quality" workflow goes red, even though every actual quality gate passed. Currently visible on
ConductionNL/procest(which hasenable-coverage-guard: true); it will hit any app that opts into the coverage guard.Asks
/.coverage-baseline, and the SBOM file path if we ever start committing it) todevelopment/mainwithout a review, on every app repo.quality.yml— fix(quality): SBOM via package-lock; non-blocking coverage-baseline push #62): thegit pushin theupdate-baselinejob is now non-blocking — it logs a::warning::instead of failing the build. Once (1) is in place that can stay (the warning just won't fire) or be tightened back to a hard failure.Where / how to configure this
The rulesets are org-level, not per-repo:
https://github.com/organizations/ConductionNL/settings/rules→ Org Settings → Code, planning, and automation → Repository → Rulesets → open thedevruleset (andbeta,main). Each has a "Bypass list" section ("Add bypass").Wrinkles to be aware of:
github-actions[bot]can't be added as a bypass actor directly. Ruleset bypass actors are: repo roles (Admin / Maintain / Write), Teams, Deploy keys, or GitHub Apps. The${{ github.token }}the workflow uses isgithub-actions[bot], and it isn't selectable./.coverage-baseline". In practice that job only ever pushes that one file, so it's acceptable; but if path-scoping matters, the cleaner option is to have the job open a PR (see option B below).Option A — dedicated GitHub App as a ruleset bypass actor (recommended)
ConductionNLorg for all repos.dev,beta,main) → Bypass list → Add bypass → pick that App.quality.yml'supdate-baselinejob: mint a token withactions/create-github-app-token@v1(app id + private key stored as org secrets), pass it toactions/checkout'stoken:and use it for thegit push. Then the push runs as the App → on the bypass list → succeeds.git push || echo "::warning::…"fallback can be reverted to a plaingit push(the warning becomes dead code) — or kept as a belt-and-suspenders.Option B — open a PR instead of pushing (no bypass actor)
Change
update-baselineto create a branch + PR with the.coverage-baselinechange (peter-evans/create-pull-requestorgh pr create), optionally auto-merge it. No ruleset change at all; downside is a tiny bit of PR churn whenever coverage moves.Related
ConductionNL/procest's CI green (PR #421 et al.).quality.ymlinterim fix: fix(quality): SBOM via package-lock; non-blocking coverage-baseline push #62 (--package-lock-onlyfor the SBOM step + non-blocking baseline push).npm lserrors (e.g.@conduction/nextcloud-vuelistingbootstrap-vueas a hard dependency) should be cleaned up at the library level — separate.