Finding
project.bootstrap.yaml defines repo governance that is not currently enforced in live GitHub settings.
Observed during review:
main branch protection is missing.- GitHub environments count is 0, while the manifest defines
dev, stage, and prod.
deleteBranchOnMerge is false live, while the manifest expects true.- Projects and wiki are enabled live, while the manifest expects both disabled.
- GitHub security policy is not enabled.
Why it matters
The manifest is supposed to be the control plane for required approvals, code-owner review, required CI Gate, stale-review dismissal, repo feature policy, and environment gates. Without live enforcement, PRs can bypass the intended project governance.
Scope
- Run bootstrap
plan against project.bootstrap.yaml.
- Reconcile live GitHub settings with the manifest via scoped apply, or update the manifest if policy changed.
- Verify branch protection, required checks, environments, repo features, and delete-branch-on-merge after apply.
Acceptance criteria
main has the intended branch protection.- Required status checks include
CI Gate.
- Required approvals/code-owner behavior matches the manifest.
dev, stage, and prod environments exist or are intentionally removed from the manifest.- Repo feature settings match the manifest.
Finding
project.bootstrap.yamldefines repo governance that is not currently enforced in live GitHub settings.Observed during review:
mainbranch protection is missing.dev,stage, andprod.deleteBranchOnMergeis false live, while the manifest expects true.Why it matters
The manifest is supposed to be the control plane for required approvals, code-owner review, required
CI Gate, stale-review dismissal, repo feature policy, and environment gates. Without live enforcement, PRs can bypass the intended project governance.Scope
planagainstproject.bootstrap.yaml.Acceptance criteria
mainhas the intended branch protection.CI Gate.dev,stage, andprodenvironments exist or are intentionally removed from the manifest.