Skip to content

chore(ospo): close Hardening Controls 5 + 7 findings#22

Merged
jung-thomas merged 10 commits into
mainfrom
ospo-hardening-2026-06
Jun 1, 2026
Merged

chore(ospo): close Hardening Controls 5 + 7 findings#22
jung-thomas merged 10 commits into
mainfrom
ospo-hardening-2026-06

Conversation

@jung-thomas

@jung-thomas jung-thomas commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Closes the OSPO Hardening Controls 5 ("Action Required") and partially addresses Control 7 ("Warning") findings on this repo.

Changes

  1. Ruleset — `.github/rulesets/main-protection.json`: swap admin (`RepositoryRole 5 / always`) bypass for narrow `github-actions[bot]` (`Integration 15368 / pull_request`) bypass. After this, admins cannot bypass; only the bot can self-merge its own PRs (still gated by the required `test` status check).
  2. Workflow — `.github/workflows/news-sync.yml`: refactor direct `git push origin main` to a PR-based flow (`gh pr create` + `gh pr merge --auto --squash`). Adds `pull-requests: write` permission and a `concurrency: news-sync` block.
  3. Docs — `CLAUDE.md`: update OSPO compliance paragraph. `docs/ospo-admin-demotion-draft.md`: new draft document classifying the 25-admin roster for the project owner to act on (no demotions executed in this PR).

Spec

docs/superpowers/specs/2026-06-01-ospo-hardening-design.md

Deployment ordering (post-merge)

  1. Merge this PR under the current admin-bypass ruleset (this is the last admin-bypassable merge).
  2. Enable Settings → General → Pull Requests → Allow auto-merge.
  3. Import the new `main-protection` ruleset via Settings → Rulesets → Import (use the file in `.github/rulesets/main-protection.json`).
  4. Verify by triggering `news-sync.yml` manually and confirming a PR opens, auto-merges, and `main` updates.

Rollback

`git revert` this PR's merge commit and re-import the previous ruleset version. One `gh api` call away.

jung-thomas added 10 commits June 1, 2026 10:36
@jung-thomas
docs: spec for OSPO hardening updates (Controls 5 + 7)
7122767
@jung-thomas
docs: address spec review feedback (permissions, concurrency, ordering)
61303d7
@jung-thomas
docs: address plan review feedback
c601059 
- Task 3: tolerate auto-merge failure when 'Allow auto-merge' is off
- Task 4: downgrade live workflow_dispatch smoke test to static validation
- Task 1: add ruleset semantic validation via gh api PUT .../check
- Task 5: drop stale line-number reference in Files header
- Task 8: guard empty RULESET_ID with actionable error message
@jung-thomas
docs: address plan review round 2
dc4246b 
- Drop fake gh api PUT .../check call (endpoint doesn't exist)
- Remove two stale CLAUDE.md line-233 references
- Update verification-note to reflect static-only pre-merge validation
@jung-thomas
chore(ospo): swap admin bypass for narrow github-actions[bot] bypass
0f0bb45 
Removes RepositoryRole 5 (Admin) bypass with mode 'always' and replaces
it with Integration 15368 (github-actions[bot]) bypass scoped to
'pull_request' merges only.

Effect: humans (including admins) can no longer push directly to main
or merge PRs that fail the rules. The bot can self-merge its own PRs
(e.g. news-sync) without an approver, but the required 'test' status
check still gates the merge.

Addresses OSPO Hardening Control 5.
Spec: docs/superpowers/specs/2026-06-01-ospo-hardening-design.md
@jung-thomas
chore(news-sync): add pull-requests:write permission and concurrency …
95319bb 
…group

Prepares news-sync for PR-based flow (Task 3).

- pull-requests: write    needed for 'gh pr create' and 'gh pr merge'
- concurrency: news-sync  serializes overlapping cron + manual runs to
                          prevent force-push races on bot/news-sync-update
@jung-thomas
feat(news-sync): open auto-merging PR instead of pushing to main
b040ec5 
The previous flow ran 'git commit && git push' directly to main. After
the OSPO hardening ruleset takes effect (sister commit), direct pushes
to main are blocked even for the bot. This step instead:

  1. Pushes to a stable bot branch (bot/news-sync-update, force-push)
  2. Opens a PR via 'gh pr create' if one isn't already open
  3. Arms 'gh pr merge --auto --squash' which fires when the test check
     passes

The bot's narrow ruleset bypass (Integration 15368 / pull_request mode)
allows the auto-merge to proceed without a human approver.

Spec: docs/superpowers/specs/2026-06-01-ospo-hardening-design.md
@jung-thomas
docs: reflect new OSPO posture in CLAUDE.md
e79ff70 
Admins no longer bypass the main ruleset; only github-actions[bot] has
a narrow PR-merge bypass for automation.
@jung-thomas
docs: admin demotion draft for OSPO Control 7
7a9ee37 
Classifies all 25 current admins into project leads (3, keep), org-mandated
(6, cannot demote at repo level), and inherited/unclear (16, propose
demote to maintain).

No demotions are executed by this PR. The project owner reviews and
acts per-account.
@jung-thomas
docs: sync spec and plan code blocks with shipped fixes
ec1b85b 
The Task 3 implementation amended its initial commit to fix two bugs:
1. jq expression now uses '.[0].number // empty' (was returning literal
   string 'null' for empty PR list, breaking the existence check)
2. --label 'automation,news-sync' removed (labels don't exist in repo)

The spec and plan still showed the original buggy code blocks. This
commit syncs them with what actually shipped.
@jung-thomas jung-thomas merged commit 6a524e3 into main Jun 1, 2026
3 checks passed
@jung-thomas jung-thomas deleted the ospo-hardening-2026-06 branch June 1, 2026 16:14
@jung-thomas jung-thomas mentioned this pull request Jun 1, 2026
Merged
@jung-thomas jung-thomas mentioned this pull request Jun 12, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jung-thomas