fix: rulesets empty-contexts + skip control-surface repos in config#34
Merged
Merged
Conversation
## Two production issues found by today's smoke test ### Bug 1 — temper-ops itself fails configuration `/Users/r/git/pulseengine/temper-ops` issue #1 (auto-created by the bot during `repository.created`): ❌ Configuration failed: Upgrade to GitHub Pro or make this repository public to enable this feature. The bot tried to apply branch protection on the new private control- surface repo. Free-plan private repos can't have branch protection. More importantly, even on Pro, temper-ops shouldn't be configured at all — it's a meta repo (issue forms only), not org code. ### Bug 2 — rulesets API rejects empty `required_status_checks` `/sync-all-repos` logs across timedate-mcp, template-mcp-server, bazel-file-ops-component, …: Validation Failed: "Invalid rule 'required_status_checks': Invalid parameter required_status_checks: Expected at least 1 elements, got 0" Our config has `contexts: []`. Legacy branch protection accepts that; Rulesets API does not. Translator emitted a half-valid rule and the entire ruleset POST 422'd, silently falling back to legacy. Net effect: no rulesets actually being applied during the org sweep. ## Fixes `src/rulesets.js` — translator now skips the `required_status_checks` rule entirely when contexts is empty or missing. The rest of the ruleset ships fine. Users who want strict status checks must list at least one context name. `src/config.js` — new `isControlSurfaceRepo(fullName)` helper. Returns true when the name matches a configured-and-enabled `chatops_repo.repo` or `controller_repo.repo`. Used by: - `src/repository.js` `configureRepository` — early returns `{success: true, skipped: 'control-surface'}`. Avoids issue spam, branch-protection 403s, dependabot noise on a repo with no code. - `src/organization.js` `synchronizeAllRepositories` — skips with a log line, doesn't even attempt configureRepository. ## Test plan - [x] All 806 tests pass (was 799 — added 7: rulesets-empty-contexts + isControlSurfaceRepo enable/disable/match-cases) - [x] eslint clean - [ ] After deploy: re-trigger /sync-all-repos. Logs should NOT show "Rulesets not available" 422 fallbacks anymore. temper-ops should be skipped entirely (no failed-config issue, no branch-protection attempt). ## Risk & rollout - Risk: low. Both fixes are narrow; the rulesets translator change only affects the empty-contexts case (current default), and the control- surface skip only fires for the explicitly-named admin repos. - Rollout: self-update on merge. Then re-run /sync-all-repos via the ChatOps issue form to actually apply rulesets across the org this time. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced Apr 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two issues from today's smoke test:
1. temper-ops can't be configured — bot tried branch protection on a free-plan private repo, and shouldn't be touching control-surface repos anyway. Add
isControlSurfaceRepohelper, skip inconfigureRepositoryandsynchronizeAllRepositories.2. Rulesets 422 — config has
required_status_checks.contexts: []. Rulesets API rejects empty contexts (legacy accepts). Translator now skips the rule entirely when contexts is empty, so the rest of the ruleset still applies cleanly.Test plan
🤖 Generated with Claude Code