Include main branch ruleset as part of the template

[d-morrison]

Adapted from d-morrison/rpt#134.

Summary

• Export the live main branch ruleset to .github/rulesets/main.json (server-assigned fields stripped so it round-trips through the create/update endpoints).
• New .github/scripts/apply-rulesets.sh idempotently applies every JSON in .github/rulesets/ to the current repo — PUT to update an existing ruleset by name, POST to create.
• New .github/rulesets/README.md documents what's enforced (required PR, no force-push / no deletion, copilot code review on push, Maintain-role PR-only bypass) and how to re-export after editing in the UI.
• README.Rmd / README.md: add a one-step entry under "Setup steps" pointing to the script.

Test plan

• Create a throwaway repo from the template and run .github/scripts/apply-rulesets.sh against it — verify the ruleset shows up under Settings → Rules → Rulesets.
• Re-run the script — confirm it updates in place rather than creating a duplicate.
• Edit a rule in .github/rulesets/main.json, run the script, confirm the change appears in the GitHub UI.

🤖 Generated with Claude Code

[Copilot]

Pull request overview

This PR packages the template repository’s default-branch protection ruleset into the template itself, along with tooling and documentation to apply and maintain it in newly created repos.

Changes:

• Adds an exported main branch ruleset JSON under .github/rulesets/ plus documentation for what it enforces and how to re-export it.
• Introduces .github/scripts/apply-rulesets.sh to idempotently create/update rulesets in a target repo via the GitHub API.
• Updates README.Rmd / README.md setup steps to instruct users to apply the ruleset.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
README.Rmd	Adds setup-step documentation for applying rulesets.
README.md	Adds setup-step documentation for applying rulesets.
.github/scripts/apply-rulesets.sh	New script to create/update rulesets from JSON definitions.
.github/rulesets/README.md	Documents ruleset behavior and re-export process.
.github/rulesets/main.json	Exported ruleset definition for the default branch.

[d-morrison]

@claude address review comments

[claude]

Claude finished @d-morrison's task in 2m 4s —— View job

---

Addressed Review Comments

• Read changed files to understand current state
• Fix pagination issue in .github/scripts/apply-rulesets.sh
• Fix step ordering in README.Rmd
• Fix step ordering in README.md
• Commit and push changes

Changes made

.github/scripts/apply-rulesets.sh — pagination fix

Added --paginate and piped through jq -s 'add // []' so all pages of rulesets are fetched before building the name→id map:

# Before
existing=$(gh api "repos/$repo/rulesets" --jq '[.[] | {name, id}]')

# After
existing=$(gh api --paginate "repos/$repo/rulesets" --jq '[.[] | {name, id}]' | jq -s 'add // []')

--paginate fetches every page (each emitting a JSON array); jq -s 'add // []' merges those arrays into one flat array that the downstream jq lookup can work with correctly.

README.Rmd / README.md — step ordering fix

Swapped steps 2 and 3 so users push their initial commit to main before applying the ruleset that blocks direct pushes:

• Step 2 → Push to main branch (initial commit)
• Step 3 → Apply branch rulesets (protects main after the seed content is in place)
  |

[d-morrison]

@claude fix failing workflows then iterate

[claude]

Claude finished @d-morrison's task in 3m 11s —— View job

---

Fixed Failing Workflows

• Gather context (CI status, changed files)
• Identify failing workflows
• Fix Spellcheck — added rulesets to inst/WORDLIST
• Fix Check Links — excluded quarto.org in lychee.toml (trusted docs site unreachable from CI runners due to network restrictions)
• Push changes

Cannot Fix — Workflow Permission Limitation

• Claude Code Review is failing because the workflow was triggered by claude[bot] (a bot), and the review action requires bots to be listed in allowed_bots. Fixing this requires editing a .github/workflows/ file, which GitHub App permissions do not allow me to modify.

  The error was:

  Workflow initiated by non-human actor: claude (type: Bot).
  Add bot to allowed_bots list or use '*' to allow all bots.
  

  To fix manually: edit the Claude Code Review workflow file and add allowed_bots: "claude[bot]" (or "*") to the action inputs. See the FAQ for more details.

---

Committed: fix: resolve spellcheck and link-checker CI failures → pushed to claude/include-branch-ruleset
|

[d-morrison]

@claude review, then revise, iteratively

[claude]

Claude finished @d-morrison's task in 3m 40s —— View job

---

Review & Revise

• Gather context and read changed files
• Review: .github/scripts/apply-rulesets.sh — pagination fix is correct; script logic is sound
• Review: .github/rulesets/main.json — well-formed, server-assigned fields stripped, ~DEFAULT_BRANCH targets correctly
• Review: .github/rulesets/README.md — fixed: added RULESET_ID discovery command
• Review: README.Rmd / README.md — fixed: project structure now includes rulesets/ and apply-rulesets.sh
• Review: inst/WORDLIST / lychee.toml — correct
• Commit and push (96dfd15)

---

Summary of changes

.github/rulesets/README.md — added a discovery command before the re-export snippet so users know how to find the RULESET_ID:

# Find your ruleset ID:
gh api repos/OWNER/REPO/rulesets --jq '[.[] | {name, id}]'

README.Rmd / README.md — updated the project structure tree to include the new files added by this PR:

└── .github/
    ├── rulesets/            # Branch ruleset definitions
    │   ├── main.json        # Default branch ruleset
    │   └── README.md        # Ruleset documentation
    ├── scripts/
    │   ├── apply-rulesets.sh    # Apply branch rulesets to a new repo
    │   └── ...

Notes from the review

• apply-rulesets.sh: The pagination logic (--paginate + jq -s 'add // []') is correct for single-page, multi-page, and zero-page cases.
• main.json: ~DEFAULT_BRANCH is the right target (adapts to any default branch name). bypass_actors role ID 2 is the Maintain role — correctly documented. required_approving_review_count: 0 is a reasonable template default; users can tighten this.
• lychee.toml: Excluding quarto.org means broken quarto.org links won't be detected by CI, but this appears necessary since the CI runners can't reach the site.
  | Branch

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://d-morrison.github.io/qwt/pr-preview/pr-72/
Built to branch gh-pages at 2026-05-19 10:06 PDT. Preview will be ready when the GitHub Pages deployment is complete.

[d-morrison]

@claude review

[claude]

Claude finished @d-morrison's task in 1m 26s —— View job

---

Code Review

• Gather context
• Read changed files
• Analyze and provide review feedback

---

Overall this PR is well-implemented. The previous iterations already addressed the Copilot review comments (pagination, step ordering). Here's a full review of the current state:

.github/scripts/apply-rulesets.sh — looks good

The script is solid:

• Executable bit is set (100755) — correct.
• Pagination (--paginate + jq -s 'add // []') correctly handles zero, one, and multi-page results.
• set -euo pipefail — good defensive shell scripting.
• shopt -s nullglob — correctly handles the no-JSON-files case.
• jq -r ... // empty on line 29 correctly produces empty output (not null) when a ruleset isn't found, so the [ -n "$id" ] branch condition is reliable.

One minor nit: the header comment says "Run once after creating a new repo" but the script is idempotent and is designed to be re-run freely. Consider changing "once" to something like "after creating a new repo from this template, or whenever the ruleset definitions change."

Fix this →

.github/rulesets/main.json — one thing worth noting

The ruleset is well-formed. ~DEFAULT_BRANCH is the right target. Server-assigned fields are stripped.

required_approving_review_count: 0 — PRs can be merged with zero approvals. This is a reasonable minimal default for a template (users can tighten it), but it's worth calling out explicitly in the README so template users know to raise this if they want review gates. Currently the README doesn't mention it.

bypass_actors bypass_mode: "pull_request" — The README says "Maintainers can merge via a PR they authored", but bypass_mode: "pull_request" actually means the Maintain role can merge any PR while bypassing the ruleset requirements (e.g., even if required reviews aren't met). It's not limited to PRs they authored. The current description is slightly misleading — consider: "Maintain role can merge pull requests even when PR requirements are not otherwise satisfied." Fix this →

.github/rulesets/README.md — mostly good

The discovery command + re-export snippet is helpful and the jq del(...) fields match what GitHub actually returns. One suggestion: document that required_approving_review_count: 0 is intentional and adjustable, so template users don't assume they have review gates when they don't.

README.Rmd / README.md — correct

Step ordering is now right (push to main first, then apply rulesets), which was the core issue. The project structure tree now includes the new files. The (requires admin access) note on step 3 is a useful heads-up.

inst/WORDLIST / lychee.toml — correct

• rulesets added to spellcheck wordlist — appropriate.
• quarto.org excluded from link checker with an explanatory comment — pragmatic fix. Note that this means broken quarto.org links won't be caught by CI going forward. The comment is honest about the trade-off; acceptable.

---

Summary

The PR is ready to merge with one genuine correctness issue worth fixing before merge:

	Issue	Severity
main.json	required_approving_review_count: 0 is undocumented — template users may not realize PRs need zero reviews	Minor
.github/rulesets/README.md	bypass_mode: "pull_request" description is slightly misleading	Minor
.github/scripts/apply-rulesets.sh	"Run once" comment is misleading for an idempotent script	Nit
Branch