π€ Generated by the Daily AI Engineer
Problem
All six org "Require workflows to pass" rulesets still source their required workflow from the legacy reusable-workflows repo (repository_id: 1022337231) β an org-level consumer class the actions#425 migration verifications missed (they only checked uses: pins in consumer workflow files). This means reusable-workflows is still load-bearing for every gated PR in the org, and archiving it (actions#425 AC3) is blocked until these repoint to actions (repository_id: 948529001).
Live state (verified 2026-07-10):
| Ruleset |
id |
Required workflow |
Targeting |
Equivalent on actions@main |
| β¦ - EnableAutoMerge |
3716878 |
enable-auto-merge.yaml |
custom prop EnableAutoMerge=true |
β
exists |
| β¦ - DependencyReview |
17213449 |
dependency-review.yaml |
(no property filter) |
β
exists |
| β¦ - ScanGitHubActions |
14426226 |
scan-for-workflow-vulnerabilities.yaml |
custom prop ScanGitHubActions=true |
β
exists |
| β¦ for .NET |
3716863 |
run-dotnet-tests.yaml |
system prop language=C# |
β
exists |
| β¦ for Go |
10320335 |
validate-go-project.yaml |
system prop language=Go |
β
exists |
| β¦ - LintDocumentation |
10320296 |
lint-documentation.yaml |
empty include β targets no repos |
β missing in both repos |
LintDocumentation is doubly inert: the workflow file exists in neither reusable-workflows nor actions, and its repository_property.include is empty, so it matches no repos β pure config debt.
Proposed direction
These rulesets are Observe-only imports in deploy/organization-rulesets/ (per that dir's README, promoting an import past Observe risks wiping live rules via the provider's lossy round-trip), so the sanctioned write path is the same one that created them: the org admin's UI/API. Hence maintainer one-clicks (each fetches the live ruleset fresh, swaps only the repository_id, and PUTs the full object back β same-path workflows all exist on actions@main):
for id in 3716878 17213449 14426226 3716863 10320335; do
gh api "orgs/devantler-tech/rulesets/$id" \
| jq '.rules[0].parameters.workflows[0].repository_id = 948529001
| {name,target,enforcement,conditions,bypass_actors,rules}' \
| gh api -X PUT "orgs/devantler-tech/rulesets/$id" --input -
done
And delete the inert LintDocumentation ruleset:
gh api -X DELETE orgs/devantler-tech/rulesets/10320296
Verify afterwards (should print 948529001 five times and 404 for 10320296):
for id in 3716878 17213449 14426226 3716863 10320335; do
gh api "orgs/devantler-tech/rulesets/$id" --jq '.rules[0].parameters.workflows[0].repository_id'
done
Risk is low: the five workflows have identical paths on actions@main and have been the live implementations since the actions v7βv9 merge; the swap changes only which repo the required run is sourced from. If any repo's PR checks wedge after the swap, the same PUT with 1022337231 reverts it.
Rough size
S β five idempotent PUTs + one DELETE, org-admin-only (agent cannot and should not write org rulesets imperatively). Merge-order gate: this must land before reusable-workflows is archived; the archival PR will reference this issue.
Part of actions#425; unblocks monorepo#1964 downstream.
Problem
All six org "Require workflows to pass" rulesets still source their required workflow from the legacy
reusable-workflowsrepo (repository_id: 1022337231) β an org-level consumer class the actions#425 migration verifications missed (they only checkeduses:pins in consumer workflow files). This meansreusable-workflowsis still load-bearing for every gated PR in the org, and archiving it (actions#425 AC3) is blocked until these repoint toactions(repository_id: 948529001).Live state (verified 2026-07-10):
actions@mainenable-auto-merge.yamlEnableAutoMerge=truedependency-review.yamlscan-for-workflow-vulnerabilities.yamlScanGitHubActions=truerun-dotnet-tests.yamllanguage=C#validate-go-project.yamllanguage=Golint-documentation.yamlLintDocumentationis doubly inert: the workflow file exists in neitherreusable-workflowsnoractions, and itsrepository_property.includeis empty, so it matches no repos β pure config debt.Proposed direction
These rulesets are Observe-only imports in
deploy/organization-rulesets/(per that dir's README, promoting an import pastObserverisks wiping live rules via the provider's lossy round-trip), so the sanctioned write path is the same one that created them: the org admin's UI/API. Hence maintainer one-clicks (each fetches the live ruleset fresh, swaps only therepository_id, andPUTs the full object back β same-path workflows all exist onactions@main):And delete the inert LintDocumentation ruleset:
Verify afterwards (should print
948529001five times and 404 for 10320296):Risk is low: the five workflows have identical paths on
actions@mainand have been the live implementations since the actions v7βv9 merge; the swap changes only which repo the required run is sourced from. If any repo's PR checks wedge after the swap, the samePUTwith1022337231reverts it.Rough size
S β five idempotent
PUTs + oneDELETE, org-admin-only (agent cannot and should not write org rulesets imperatively). Merge-order gate: this must land beforereusable-workflowsis archived; the archival PR will reference this issue.Part of actions#425; unblocks monorepo#1964 downstream.