[worktree-20260606-211401] feat(enforce-flip): swap merge-pipeline-checks -> review-gate; review-gate enforce

[joeoakhart]

Commits

• feat(enforce-flip): swap merge-pipeline-checks -> review-gate; review-gate enforce
• chore: bump version to v1.17.143

---

Auto-generated by merge-to-main-pr.sh from git log --no-merges origin/main..HEAD.

Summary by CodeRabbit

• Chores
  • Updated GitHub branch protection checks to replace legacy merge validation with a new review gate
  • Activated enforcement mode for the review gate mechanism
  • Updated plugin configurations and test fixtures to support the new requirements

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 32c82dcc-3847-47c8-97f1-05e6505c9b56

📥 Commits

Reviewing files that changed from the base of the PR and between 0e636a3 and b50e241.

📒 Files selected for processing (7)

• .github/required-checks.txt
• .github/workflows/review-gate.yml
• plugins/dso/.claude-plugin/plugin.json
• plugins/dso/scripts/promote-ruleset-required.sh
• plugins/dso/scripts/update-required-checks-manifest.sh
• tests/scripts/test-promote-ruleset-required.sh
• tests/scripts/test-validate-required-checks.sh

---

Walkthrough

This PR activates review-gate enforcement by switching it from warn to enforce mode, replacing merge-pipeline-checks as the required check context across workflow configuration, required-checks lists, management scripts, and tests.

Changes

Review-gate enforcement and required-checks switch

Layer / File(s)	Summary
Review-gate mode switch to enforce .github/workflows/review-gate.yml, plugins/dso/.claude-plugin/plugin.json	The DSO_REVIEW_GATE_MODE environment variable changes from warn to enforce, causing sub-check preconditions and violations to fail the gate. Workflow documentation is updated to reflect the go-live status. Plugin version is bumped to 1.17.143 to mark the behavior change.
Required-checks configuration switch .github/required-checks.txt	The required GitHub check context list replaces merge-pipeline-checks with review-gate. Updated ownership comments document that merge-pipeline-checks remains in CI but is no longer a required context on main.
Promotion and manifest management scripts plugins/dso/scripts/promote-ruleset-required.sh, plugins/dso/scripts/update-required-checks-manifest.sh	Scripts that promote required checks and bootstrap the required-checks manifest are updated to configure review-gate as the main-branch required check instead of merge-pipeline-checks. Expanded documentation explains review-gate behavior and clarifies that merge-pipeline-checks should not be re-added.
Promotion and manifest tests tests/scripts/test-promote-ruleset-required.sh, tests/scripts/test-validate-required-checks.sh	Test fixtures and assertions are updated to verify that review-gate is correctly promoted, required, and present after script execution. Negative assertions confirm that merge-pipeline-checks is not re-added and that review-sub-pr is not introduced.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• navapbc/digital-service-orchestra#650: Establishes the review-gate workflow and script wiring that this PR then switches to enforce mode.
• navapbc/digital-service-orchestra#422: Modifies promote-ruleset-required.sh promotion logic that this PR updates with the new check context configuration.
• navapbc/digital-service-orchestra#438: Refactors required-checks management tooling in overlapping scripts to change which check contexts are required for main vs sub-PR rulesets.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: swapping merge-pipeline-checks for review-gate and switching review-gate to enforce mode.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch staged-be5700224e88-1780807796

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gitar-bot]

CI failed: The `review-gate` CI check failed because commit `b50e241` is missing from the review coverage ledger, violating the enforcement policy that requires all merged commits to be linked to a reviewed PR.

Overview

The build failed in the review-gate stage due to a coverage invariant violation. One unreviewed commit was detected that lacks a corresponding entry in the .review-coverage-ledger, causing the enforcement gate to exit with a non-zero status.

Failures

Review Coverage Invariant Failure (confidence: high)

• Type: configuration
• Affected jobs: 79933199923
• Related to change: yes
• Root cause: The PR introduced commit b50e241, which is not recorded as reviewed in the DSO_REVIEWED_LEDGER. The enforcement mode requires all commits reaching the target branch to have verifiable review metadata.
• Suggested fix: Ensure all commits in the PR are properly reviewed and recorded. If the ledger is out of sync, update the .review-coverage-ledger file locally or ensure the PR branch is rebased/squashed according to the organization's review policy to ensure all commits are covered.

Summary

• Change-related failures: 1 (Review gate enforcement failure)
• Infrastructure/flaky failures: 0
• Recommended action: Review the commit history in your PR. If b50e241 is a new commit, verify it has been properly linked to an approved PR in the repository's review ledger. You may need to squash your commits or trigger the review process again to satisfy the ledger requirements.

Code Review ✅ Approved

Replaces legacy merge validation with the new review gate and enables enforcement mode for branch protection. No issues found.

Tip

Comment Gitar fix CI or enable auto-apply: gitar auto-apply:on

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[github-actions]

DSO-Review-Cycle: 1 pr_number=699 commit_sha=0e8324dd090a08f57f77a42feb1fb81138730d11 findings_hash=e3b0c44298fc1c14 tuples=[]

[joeoakhart]

Superseded: the version-bump-tip wedge (bug 374f) is fixed in the new changeset (rc_a3b_should_exclude). Re-running the two-tier merge from the feature branch which now carries the coverage fix; review-gate will self-pass.