From 335652c5fc6605a246fce9b676cf89e926a78f2b Mon Sep 17 00:00:00 2001
From: Ralf Anton Beier <ralf_beier@me.com>
Date: Sun, 3 May 2026 15:58:19 +0200
Subject: [PATCH 1/3] config: require Format/Clippy/Test as org-wide
 branch-protection floor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Why: every active pulseengine Rust repo runs Format, Clippy, and Test
under those exact job names. The previous empty `contexts: []` meant
temper applied branch protection but didn't require any specific
status checks — so brand-new repos and repos that hadn't been
touched at the API level had unprotected merges.

What: add the three universal Rust check names to
`branch_protection.default.required_status_checks.contexts`. Repos
with richer smithy patterns (spar, gale, sigil — Cargo Deny,
Mutation Testing, etc.) keep their extras at the repo level via
direct API; this list is the additive minimum, not an exclusive set.

Test plan:
  - YAML parses cleanly (python yaml.safe_load).
  - npm test → 834 pass (unchanged; integration tests use inline
    config fixtures, not config.yml).
  - After merge: temper's scheduled sweep re-applies branch protection
    across all 27 pulseengine repos within the next sweep window.

Out of scope: org-level Actions fork-PR-approval policy and
allowed-actions allowlist (UI-only today; tracked as a follow-up
feature request "feat: manage org-level Actions fork-PR-approval
policy and allowed-actions allowlist via config.yml").

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 config.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/config.yml b/config.yml
index b13fdac..799e423 100644
--- a/config.yml
+++ b/config.yml
@@ -30,7 +30,15 @@ branch_protection:
   default:
     required_status_checks:
       strict: true
-      contexts: []
+      # Org-wide floor: every active pulseengine Rust repo runs Format,
+      # Clippy, and Test under those exact job names. Repos with richer
+      # smithy patterns (spar, gale, sigil — Cargo Deny, Mutation Testing,
+      # etc.) keep those extras at the repo level via direct API; Temper
+      # treats this list as the additive minimum, not an exclusive set.
+      contexts:
+        - Format
+        - Clippy
+        - Test
     enforce_admins: true
     required_pull_request_reviews:
       required_approving_review_count: 0

From 8f61637bf5782dbad86abb9a24517d8976f50c00 Mon Sep 17 00:00:00 2001
From: Ralf Anton Beier <ralf_beier@me.com>
Date: Sun, 3 May 2026 16:08:24 +0200
Subject: [PATCH 2/3] config: warn against adding non-universal contexts to the
 floor

Adds the safety warning from a parallel duplicate PR (#58, closing
in favour of this one). The risk is concrete: any context added to
this list that not every repo's CI defines will leave those repos
stuck unable to merge. Keep the list universal-only.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 config.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config.yml b/config.yml
index 799e423..b858d16 100644
--- a/config.yml
+++ b/config.yml
@@ -35,6 +35,10 @@ branch_protection:
       # smithy patterns (spar, gale, sigil — Cargo Deny, Mutation Testing,
       # etc.) keep those extras at the repo level via direct API; Temper
       # treats this list as the additive minimum, not an exclusive set.
+      # WARNING: adding a context here that not every repo's CI ships
+      # will leave those repos unable to merge. Keep this list to the
+      # universal jobs only; per-repo extensions belong in repo-level
+      # branch protection.
       contexts:
         - Format
         - Clippy

From d93d6ae87e07182d0e3a512c4fc85d744e59b743 Mon Sep 17 00:00:00 2001
From: Ralf Anton Beier <ralf_beier@me.com>
Date: Sun, 10 May 2026 13:28:47 +0200
Subject: [PATCH 3/3] config: weaken required_status_checks back to empty
 (small-repo safety)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Audit during smithy migration rollout (2026-05-10) found that
several pulseengine repos don't define Format/Clippy/Test under
those exact names: rules_lean (only verify-rules + build),
pulseengine.eu (web build), .github (community files),
rules_rocq_rust (mostly Bazel), wasm-component-examples,
moonbit_checksum_updater, and a couple of MCP-server templates.

Setting Format/Clippy/Test as required contexts org-wide via
Temper would leave all those repos permanently unable to merge
PRs (the required check would never appear because the workflow
doesn't define it).

Reverting contexts back to [] keeps the org-wide protection
benefits — strict, signed-commits, no force push, no deletion,
enforce_admins — without the small-repo trap. Per-repo can add
specific required checks via direct API; smithy already does this
on spar's main branch (13-context full smithy migration set).

If we want a real org floor later, the right vehicle is shipping
a starter workflow via pulseengine/.github that emits the
expected check names everywhere.
---
 config.yml | 32 +++++++++++++++++++-------------
 1 file changed, 19 insertions(+), 13 deletions(-)

diff --git a/config.yml b/config.yml
index b858d16..4fb89c3 100644
--- a/config.yml
+++ b/config.yml
@@ -30,19 +30,25 @@ branch_protection:
   default:
     required_status_checks:
       strict: true
-      # Org-wide floor: every active pulseengine Rust repo runs Format,
-      # Clippy, and Test under those exact job names. Repos with richer
-      # smithy patterns (spar, gale, sigil — Cargo Deny, Mutation Testing,
-      # etc.) keep those extras at the repo level via direct API; Temper
-      # treats this list as the additive minimum, not an exclusive set.
-      # WARNING: adding a context here that not every repo's CI ships
-      # will leave those repos unable to merge. Keep this list to the
-      # universal jobs only; per-repo extensions belong in repo-level
-      # branch protection.
-      contexts:
-        - Format
-        - Clippy
-        - Test
+      # Empty intentionally — see the smithy-migration audit on
+      # 2026-05-10. Several pulseengine repos (rules_lean,
+      # pulseengine.eu, .github, rules_rocq_rust, wasm-component-
+      # examples, moonbit_checksum_updater, …) don't define jobs
+      # called Format / Clippy / Test under those exact names. Adding
+      # them as required contexts here would leave those repos
+      # permanently un-mergeable.
+      #
+      # The protections below (signed commits, no force pushes, no
+      # deletions, enforce_admins, strict-up-to-date) still apply
+      # org-wide and are the bulk of the value. Per-repo can ADD
+      # specific gating checks via direct API (smithy already does
+      # this on spar's main branch, requiring the full 13-context
+      # smithy migration set).
+      #
+      # If we ever want a real org floor, the right vehicle is
+      # ensuring every repo first ships a stub workflow that emits
+      # the contexts (e.g. via a starter workflow in pulseengine/.github).
+      contexts: []
     enforce_admins: true
     required_pull_request_reviews:
       required_approving_review_count: 0