Skip to content

Guard the custom layer and flag stray top-level entries#58

Merged
JesperSchulz merged 1 commit into
mainfrom
guard-custom-layer
Jun 26, 2026
Merged

Guard the custom layer and flag stray top-level entries#58
JesperSchulz merged 1 commit into
mainfrom
guard-custom-layer

Conversation

@JeremyVyska

Copy link
Copy Markdown
Collaborator

What & why

PR #55 exposed two gaps in how the upstream repo protects its structure:

  1. Someone opened a PR adding content to the /custom/ layer — which is a template that should only ever be populated inside a fork, never upstream.
  2. The same PR leaked a new top-level folder.

This adds guardrails for both, plus an authoring-time guard in the WRITE skill.

Changes

skills/write.md — new "Writing to /custom/ — fork precondition" subsection. Instructs any author (human or agent) to confirm origin is not microsoft/BCQuality (via git remote get-url origin) before scaffolding /custom/ content, and to fork or re-target /community/ otherwise.

.github/workflows/guard-custom-layer.yml + .github/custom-layer-autoclose.md — auto-closes upstream PRs that add/modify /custom/ content beyond the template files (custom/README.md and .gitkeep stay allowed). Posts a friendly redirect-to-fork comment (in Jeremy's voice from the PR #55 close).

.github/workflows/flag-new-top-level.yml + .github/new-top-level-flag.mdnon-blocking advisory: when a PR introduces an unexpected top-level folder/file (anything outside .github community custom microsoft skills tools + the known root docs), it posts a single comment flagging it for a maintainer to eyeball. Does not close the PR. Idempotent across synchronize events.

Safety notes

  • Both workflows are gated if: github.repository == 'microsoft/BCQuality', so forks that legitimately populate /custom/ are never affected.
  • They use pull_request_target only to obtain a token that can comment/close fork PRs, and read the PR file list via the API — they never check out or execute PR code.

For review

  • @JesperSchulz — eyeballing before merge. Two design calls worth a look:
    • The custom guard allows maintainers to edit custom/README.md. Tighten to .gitkeep-only if you'd rather lock the template entirely.
    • The top-level flag also flags new top-level files (not just folders) outside the allowlist — easy to scope to folders only if that's noisy.

The /custom/ layer is a template: in upstream microsoft/BCQuality it stays
empty by default and is meant to be populated only inside a fork or consumer
clone. PR #55 both targeted /custom/ and leaked a new top-level folder.

- skills/write.md: add a fork-precondition guard so authors (human or agent)
  confirm they are not in microsoft/BCQuality before scaffolding /custom/ content.
- Guard custom layer workflow: auto-closes upstream PRs that add/modify /custom/
  content beyond the template files, with a friendly redirect-to-fork comment.
- Flag new top-level entries workflow: posts an advisory (non-blocking) comment
  when a PR introduces an unexpected top-level folder or file for maintainer review.

Both workflows run only on microsoft/BCQuality (never on forks) and read the PR
file list via the API without checking out or executing PR code.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@JesperSchulz JesperSchulz merged commit d3eb7d6 into main Jun 26, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants