Skip to content

fix: repoint the six org required-workflow rulesets off reusable-workflows (blocks its archival)Β #87

Description

@devantler

πŸ€– Generated by the Daily AI Engineer

Problem

All six org "Require workflows to pass" rulesets still source their required workflow from the legacy reusable-workflows repo (repository_id: 1022337231) β€” an org-level consumer class the actions#425 migration verifications missed (they only checked uses: pins in consumer workflow files). This means reusable-workflows is still load-bearing for every gated PR in the org, and archiving it (actions#425 AC3) is blocked until these repoint to actions (repository_id: 948529001).

Live state (verified 2026-07-10):

Ruleset id Required workflow Targeting Equivalent on actions@main
… - EnableAutoMerge 3716878 enable-auto-merge.yaml custom prop EnableAutoMerge=true βœ… exists
… - DependencyReview 17213449 dependency-review.yaml (no property filter) βœ… exists
… - ScanGitHubActions 14426226 scan-for-workflow-vulnerabilities.yaml custom prop ScanGitHubActions=true βœ… exists
… for .NET 3716863 run-dotnet-tests.yaml system prop language=C# βœ… exists
… for Go 10320335 validate-go-project.yaml system prop language=Go βœ… exists
… - LintDocumentation 10320296 lint-documentation.yaml empty include β†’ targets no repos ❌ missing in both repos

LintDocumentation is doubly inert: the workflow file exists in neither reusable-workflows nor actions, and its repository_property.include is empty, so it matches no repos β€” pure config debt.

Proposed direction

These rulesets are Observe-only imports in deploy/organization-rulesets/ (per that dir's README, promoting an import past Observe risks wiping live rules via the provider's lossy round-trip), so the sanctioned write path is the same one that created them: the org admin's UI/API. Hence maintainer one-clicks (each fetches the live ruleset fresh, swaps only the repository_id, and PUTs the full object back β€” same-path workflows all exist on actions@main):

for id in 3716878 17213449 14426226 3716863 10320335; do
  gh api "orgs/devantler-tech/rulesets/$id" \
    | jq '.rules[0].parameters.workflows[0].repository_id = 948529001
          | {name,target,enforcement,conditions,bypass_actors,rules}' \
    | gh api -X PUT "orgs/devantler-tech/rulesets/$id" --input -
done

And delete the inert LintDocumentation ruleset:

gh api -X DELETE orgs/devantler-tech/rulesets/10320296

Verify afterwards (should print 948529001 five times and 404 for 10320296):

for id in 3716878 17213449 14426226 3716863 10320335; do
  gh api "orgs/devantler-tech/rulesets/$id" --jq '.rules[0].parameters.workflows[0].repository_id'
done

Risk is low: the five workflows have identical paths on actions@main and have been the live implementations since the actions v7–v9 merge; the swap changes only which repo the required run is sourced from. If any repo's PR checks wedge after the swap, the same PUT with 1022337231 reverts it.

Rough size

S β€” five idempotent PUTs + one DELETE, org-admin-only (agent cannot and should not write org rulesets imperatively). Merge-order gate: this must land before reusable-workflows is archived; the archival PR will reference this issue.

Part of actions#425; unblocks monorepo#1964 downstream.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions