mancitrus/system-prompts-and-models-of-ai-tools
1
0
Fork 0
mirror of https://github.com/x1xhlol/system-prompts-and-models-of-ai-tools.git synced 2026-06-18 07:19:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b86cf729de
system-prompts-and-models-o.../docs/governance/github-and-release.md
Sami Assiri c6efca32b5 docs(governance): expand operating fabric index and governance library 
Made-with: Cursor
2026-04-16 07:58:36 +03:00

44 lines
2.1 KiB
Markdown
Raw Blame History

# GitHub and release governance
**Canonical:** [`MASTER_OPERATING_PROMPT.md`](../../MASTER_OPERATING_PROMPT.md).
Treat GitHub as a **governance surface**, not only file hosting.
## Repository rules
- **Protected branches** for `main` (and release branches if used).
- **No direct push** to protected branches; work through PRs.
- **Required reviews** and **required status checks** before merge.
- **CODEOWNERS** as the team grows for critical paths.
- **Conversation resolution** on review threads before merge where policy requires it.
- **Signed commits** where org policy demands non-repudiation.
- **Linear history** or merge strategy per team convention — document the choice.
- **Merge queue** when CI is mature enough to serialize green merges.
## Environments and promotion
Use explicit promotion: **dev → staging → canary → prod** (names may vary; semantics must not).
- Deployment **protection rules** and environment **approvals** for production and production-like environments.
- Gates aligned with [trust-fabric.md](trust-fabric.md) (security, tests, evidence).
## Security SDLC on GitHub
- Static analysis (SAST) on PRs where available.
- **Dependency review** and automated update workflows (Renovate/Dependabot) with human policy for major bumps.
- **Secret scanning** and push protection.
- **Artifact provenance / attestations** where supply-chain risk warrants it.
- **OIDC federation** to cloud deploy roles instead of long-lived cloud secrets when possible.
## Audit retention
Do not rely on GitHub (or any single SaaS) **retention alone** for audit-critical evidence. Plan streaming or export for long-lived audit trails where legal or enterprise customers require it.
## Dealix pointers
- CI workflows: `salesflow-saas/.github/` (if present) or repo-root `.github/`.
- Local preflight: `salesflow-saas/verify-launch.ps1` delegating to `salesflow-saas/scripts/grand_launch_verify.ps1`.
- Launch checklist: `salesflow-saas/docs/LAUNCH_CHECKLIST.md`.
See also: [approval-policy.md](approval-policy.md), [discovery-and-output-checklist.md](discovery-and-output-checklist.md).
Reference in New Issue View Git Blame Copy Permalink