This document outlines the branch protection rules, workflows, and governance policies for the IQToolkit Analyzer repository.
- Restrict pushes - No direct pushes allowed
- Require pull request reviews - At least 1 approval required
- Dismiss stale reviews - When new commits are pushed
- Require review from code owners - If CODEOWNERS file exists
- Restrict review dismissals - Only admins can dismiss reviews
- Require status checks - All CI checks must pass:
test (3.14)- CI test matrixintegration-test- Integration test suitecommitlint- Commit message lintingbranch-name-check- Branch naming conventionCodeQL- Security analysis
- Require up-to-date branches - Must be current with main
- Include administrators - Admins follow same rules
- Allow force pushes - Disabled
- Allow deletions - Disabled
- Restrict pushes - No direct pushes allowed
- Require pull request reviews - At least 1 approval required
- Require status checks - All CI checks must pass:
test- Full CI test suitecommitlint- Commit message validationbranch-name-check- Branch naming validationCodeQL- Security analysis
- Require up-to-date branches - Must be current with develop
- Include administrators - Recommended but not enforced
- Allow force pushes - Disabled
- Allow deletions - Disabled
Repository administrators should configure these rules in: Settings → Branches → Add rule
Example rule configuration:
Branch name pattern: main
☑️ Restrict pushes that create files larger than 100MB
☑️ Require a pull request before merging
☑️ Require approvals: 1
☑️ Dismiss stale reviews when new commits are pushed
☑️ Require review from code owners
☑️ Require status checks to pass before merging
☑️ Require branches to be up to date before merging
Required status checks:
- test (3.11)
- test (3.12)
- test (3.13)
- test (3.14)
- integration-test
- (commit message checks disabled)
- CodeQL
☑️ Require conversation resolution before merging
☑️ Include administrators
☑️ Restrict pushes that create files larger than 100MBTriggers: Push/PR to main, feature/*, release/*
- Test Matrix - Python 3.11-3.14 across Ubuntu
- Code Quality - Ruff format, Ruff check, MyPy checks
- Unit Tests - Pytest
Triggers: Push/PR to main, develop
- CodeQL - Static security analysis
- Language Detection - Python codebase scanning
- Vulnerability Detection - Security issue identification
Triggers: Pull requests (opened/edited/synchronize/reopened)
- PR size labeling - Auto-label PR by lines changed
- Auto-assign - Assign author to PR
- Summary comment - Post change summary and checklist
- Note: Semantic PR title enforcement and branch naming validation are disabled.
Triggers: Tag push (v*)
- Version Verification - Ensure VERSION file matches tag
- Package Building - Create wheel and source distributions
- GitHub Release - Auto-generate release notes
- PyPI Publishing - Automated package upload
- Changelog Update - Maintain release history
Configure these in Settings → Secrets and variables → Actions:
PYPI_API_TOKEN- PyPI publishing token for automated releasesCODECOV_TOKEN- (Optional) Codecov integration for coverage reports
- Create PyPI account and verify email
- Generate API token: Account settings → API tokens → Add API token
- Scope: Entire account or specific to iqtoolkit-analyzer
- Add to GitHub: Settings → Secrets → New repository secret
- Name:
PYPI_API_TOKEN - Value:
pypi-...(your token)
- Name:
- Sign up at codecov.io with GitHub account
- Add iqtoolkit-analyzer repository
- Copy upload token from repository settings
- Add to GitHub secrets as
CODECOV_TOKEN
- Default branch - Set to
main - Allow merge commits - ✅ Enabled
- Allow squash merging - ✅ Enabled (default for features)
- Allow rebase merging - ✅ Enabled
- Automatically delete head branches - ✅ Enabled
- Allow auto-merge - ✅ Enabled (optional)
- Base permissions - Read for public repo
- Admin access - Repository owner(s)
- Maintain access - Core maintainers (if any)
- Write access - Trusted contributors (if any)
- main - Full protection with required reviews
- develop - Protection with required status checks
- Actions permissions - Allow GitHub Actions
- Fork pull request workflows - Require approval for first-time contributors
- Workflow permissions - Read and write permissions
- Dependency graph - ✅ Enabled
- Dependabot alerts - ✅ Enabled
- Dependabot security updates - ✅ Enabled
- Code scanning alerts - ✅ Enabled (CodeQL)
- Secret scanning - ✅ Enabled
- All contributors - Must follow branch protection and workflows
- External contributors - PRs require maintainer approval to run Actions
- Repository admins - Can override protections in emergencies
In case of critical issues requiring immediate fixes:
-
Hotfix Process - Preferred approach:
git checkout main git checkout -b hotfix/critical-security-fix # Make fix, test, commit # Create PR with "hotfix" label for priority review
-
Admin Override - Last resort only:
- Temporarily disable branch protection
- Make critical fix directly
- Re-enable protection immediately
- Document override in issue/PR
- Failed status checks - PR cannot merge until fixed
- Missing approvals - Must get required reviews
- Commit message style and branch naming are not enforced by workflows.
For questions about repository governance:
- GitHub Issues - Technical questions about workflows
- Email - gio@iqtoolkit.ai for access/permission issues
- Discussions - General questions about contribution process
This governance model ensures code quality, security, and collaboration while maintaining development velocity.