repopilot 0.11.0

Local-first CLI for repository audit, architecture risk detection, baseline tracking, and CI-friendly code review.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

# GitHub Branch Ruleset Configuration

This document describes the GitHub repository ruleset that protects the `main` branch.

## Repository metadata

Set these repository fields in **Settings -> General**:

| Setting | Value |
|---|---|
| Description | `Local-first CLI for repository audits, architecture risk detection, SARIF, CI gates, and AI-ready remediation context.` |
| Website | `https://github.com/MykytaStel/repopilot#readme` |
| Topics | `rust`, `cli`, `static-analysis`, `code-review`, `security`, `security-tools`, `architecture`, `sarif`, `github-actions`, `ai-tools`, `react-native`, `expo`, `npm` |

Recommended feature toggles:

| Setting | Value |
|---|---|
| Issues | Enabled |
| Projects | Disabled unless actively used |
| Wiki | Disabled unless actively used |
| Automatically delete head branches | Enabled |

## Repository security settings

Set these in **Settings -> Code security and analysis**:

| Setting | Value |
|---|---|
| Dependency graph | Enabled |
| Dependabot alerts | Enabled |
| Dependabot security updates | Enabled |
| Secret scanning | Enabled |
| Push protection | Enabled |
| Non-provider secret scanning patterns | Enabled if available |
| Secret validity checks | Enabled if available |

The repository also contains:

- `.github/dependabot.yml` for Cargo, npm, and GitHub Actions updates.
- `.github/workflows/codeql.yml` for CodeQL Rust and JavaScript/TypeScript scanning.

## Why rulesets instead of branch protection rules

GitHub Rulesets (available on all plans) supersede the legacy branch protection UI. Advantages:

- Layered rules (org-level + repo-level)
- Bypass lists for specific actors
- Rule insights (per-rule audit log)

## Setting up the `protect-main` ruleset

Go to **Settings → Rules → Rulesets → New ruleset** and configure the following.

### Target

| Setting | Value |
|---|---|
| Name | `protect-main` |
| Enforcement status | Active |
| Target branches | `refs/heads/main` |

### Rules

| Rule | Setting |
|---|---|
| Restrict deletions | Enabled |
| Require linear history | Enabled |
| Require a pull request before merging | Enabled |
| — Required approvals | `1` |
| — Dismiss stale approvals when new commits are pushed | Enabled |
| — Require review from Code Owners | Disabled (no `CODEOWNERS` file yet) |
| Require status checks to pass | Enabled |
| — Required status check | `Rust MSRV 1.87` |
| — Required status check | `Rust checks` |
| — Required status check | `Security and maintenance checks` |
| — Required status check | `CodeQL` |
| — Require branches to be up to date before merging | Enabled |
| Block force pushes | Enabled |

### Bypass list

Add **Repository admin** to the bypass list. This allows merging hotfixes in an emergency without being blocked by the ruleset. Keep the bypass list minimal.

## CODEOWNERS (future)

When the project has more contributors, add `.github/CODEOWNERS` to require domain-owner review:

```
# Audit rules require review from the core team
src/audits/   @MykytaStel
```

## Verifying the ruleset is active

Open a draft PR targeting `main` and confirm:

- The `Rust checks` status check is listed as required.
- Merging is blocked until the check passes and at least one approval is given.