Skip to content

permissions.md

Latest commit

 

History

History
95 lines (66 loc) · 4.38 KB

permissions.md

File metadata and controls

95 lines (66 loc) · 4.38 KB

Permission Posture

This document records the intended repository permission model for PR Maven CLI.

Current Stabilization Mode

The repository is public during the initial stabilization phase.

This keeps GitHub branch protection available without requiring a paid plan.

Do not switch it to private if that would disable branch protection or repository rules. A private stabilization phase should only be used when the account or organization plan supports the same branch protection controls used in public OSS mode.

Current maintainer policy:

  • Will-thom, GitHub: @Will-thom, is the founder and principal maintainer.
  • No external collaborator should receive write, maintain, or admin access during stabilization unless intentionally promoted.
  • External contributors can open issues and pull requests, but merge rights should stay limited to maintainers.

Public OSS Mode

The public repository must keep main protected before accepting outside contributions.

Required public-mode controls:

  • Require the All CI checks status before merge.
  • Require at least one approving pull request review before merge.
  • Require review from the repository code owner before merge.
  • Enforce the rule for administrators.
  • Require conversation resolution before merge.
  • Disable force pushes.
  • Disable branch deletion.
  • Keep the public metadata guard inside All CI checks so agent or tool names in branch names, pull request titles, and commit messages block merges.
  • Maintain a repository ruleset for main that rejects commit messages containing blocked coding agent or tool names when GitHub rulesets are available.
  • Delete pull request head branches after merge.
  • Keep merge rights limited to users with write, maintain, or admin access.
  • Keep @Will-thom as the repository-wide code owner through .github/CODEOWNERS.

Founder deadlock prevention:

  • @Will-thom may be configured as a pull request review bypass actor while the project has only one maintainer.
  • This bypass exists to prevent the founder from being unable to merge founder-authored maintenance PRs.
  • It should be used only when CI is green, conversations are resolved, labels are correct, and the change is intentionally scoped.
  • Remove the bypass after at least one additional trusted maintainer or code owner can review founder-authored PRs.

GitHub Actions Permissions

Repository-level workflow token default:

  • contents: read.
  • Workflows cannot approve pull request reviews.

Workflow-specific policy:

  • CI uses contents: read; its public metadata guard checks branch names, pull request titles, and commit messages before All CI checks can pass.
  • Security uses contents: read, security-events: write, and pull-requests: read.
  • Release defaults to contents: read; package jobs receive id-token: write and attestations: write only for GitHub artifact and SBOM attestations; only the release publishing job receives contents: write.
  • Thank Contributor uses contents: read, issues: write, and pull-requests: write only to read the base repository template through the GitHub API and write a comment. It must not check out or execute contributor code.

Code Security And External Integrations

The project should avoid repository secrets for the Stage 1 local-first MVP.

Enabled public-repository security controls:

  • Secret scanning.
  • Secret scanning push protection.
  • Dependabot security updates.

Core analyzer guardrails:

  • pkg/prmaven tests exercise analysis without GitHub or GitLab provider tokens.
  • Production core code must not import network/provider clients.
  • Production core code must not read provider environment variables.

Expected empty surfaces during stabilization:

  • GitHub Actions secrets.
  • GitHub Actions variables.
  • Webhooks.
  • Environments.
  • Deployments.
  • GitHub Pages.

OSS Contributor Readiness

Before actively inviting OSS contributors:

  1. Validate branch protection for main.
  2. Confirm All CI checks is the required status gate.
  3. Confirm CODEOWNERS still routes ownership to @Will-thom.
  4. Confirm pull request reviews and code owner review are required.
  5. Confirm any founder bypass is still intentional and documented.
  6. Confirm secret scanning, push protection, and Dependabot security updates are still enabled.
  7. Confirm no unintended collaborators, secrets, variables, webhooks, environments, deployments, releases, or pages were added.
  8. Re-run CI and Security on main.