RMI · AlexAxthelm · May 28, 2026 · May 21, 2026 · May 22, 2026 · May 22, 2026
diff --git a/.github/rulesets/README.md b/.github/rulesets/README.md
@@ -0,0 +1,58 @@
+# GitHub Rulesets
+
+These JSON files represent [GitHub Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
+
+Each is created by exporting an existing ruleset in effect in this repo.
+
+## Important limitation
+
+GitHub's rulesets API only returns `bypass_actors` when the caller has write
+access to the ruleset. The default Actions token used in
+[`admin-check_rulesets.yml`](../workflows/admin-check_rulesets.yml)
+does not reliably expose that field, so the rulesets check intentionally ignores
+`bypass_actors` in both the local files and the remote API response.
+
+That means bypass lists are currently treated as UI-managed policy rather than
+fully verified by CI.
+
+# Export
+
+To create a ruleset file from an existing ruleset (usually created through the web UI):
+
+- In Repo Settings, on the sidebar, go to "Rules" -> "Rulesets".
+- Find the ruleset you want to export.
+- In the "..." (three dots) menu, "Export Ruleset".
+
+# Import
+
+NOTE: If you are updating an existing ruleset, see "Update" below.
+
+To import a new ruleset (from a file) into the repo's settings:
+
+- In Repo Settings, on the sidebar, go to "Rules" -> "Rulesets".
+- Click the green "New Ruleset" -> "Import a ruleset".
+- Navigate to a JSON file (on your local machine) that defines the ruleset you want.
+- Scroll to bottom of page and **"Create"**
+
+# Update
+
+If you want to alter an existing ruleset:
+
+- In Repo Settings, on the sidebar, go to "Rules" -> "Rulesets".
+- Find the ruleset you want to update.
+- Click on the ruleset name (not three-dots) to see ruleset definition in the WebUI.
+  - Rename the ruleset (suggestion `rule-name` -> `rule-name-old`)
+  - Set "Enforcement Status" to "Disabled"
+  - Scroll to bottom of page and **"Save Changes"**
+- Return to "Rulesets" main page, and import the updated definition (see above, "Import").
+- Repeat if changing multiple rulesets
+- _(Testing):_
+  - Trigger an empty commit: `git commit -m "Trigger CI" --allow-empty` and push to trigger checking action
+  - The action **should fail** while the temporary `*_old` ruleset still exists.
+    - In the diff, confirm that:
+      - the updated ruleset has no unexpected differences from the JSON file in this repo
+      - the only remaining mismatch is the extra disabled `*_old` ruleset in GitHub
+  - If there are no differences in the ruleset you updated, then it has imported as expected, and you can delete the `*_old` ruleset in the Repo settings.
+    - "Rulesets" -> "`*_old`" -> "..." -> "Delete ruleset".
+  - Trigger a new empty commit and push.
+  - There should be no diffs, and actions run cleanly with new rulesets in effect.
diff --git a/.github/rulesets/main.json → .github/rulesets/gitflow-main.json b/.github/rulesets/main.json → .github/rulesets/gitflow-main.json
@@ -1,6 +1,6 @@
 {
   "id": 12424386,
-  "name": "main",
+  "name": "gitflow-main",
   "target": "branch",
   "source_type": "Repository",
   "source": "RMI/stitch",
@@ -9,7 +9,8 @@
     "ref_name": {
       "exclude": [],
       "include": [
-        "~DEFAULT_BRANCH"
+        "~DEFAULT_BRANCH",
+        "refs/heads/main"
       ]
     }
   },
@@ -26,7 +27,7 @@
         "required_approving_review_count": 1,
         "dismiss_stale_reviews_on_push": false,
         "required_reviewers": [],
-        "require_code_owner_review": false,
+        "require_code_owner_review": true,
         "require_last_push_approval": false,
         "required_review_thread_resolution": false,
         "allowed_merge_methods": [
@@ -78,7 +79,16 @@
           }
         ]
       }
+    },
+    {
+      "type": "creation"
+    },
+    {
+      "type": "copilot_code_review",
+      "parameters": {
+        "review_on_push": false,
+        "review_draft_pull_requests": false
+      }
     }
-  ],
-  "bypass_actors": []
-}
+  ]
+}
diff --git a/.github/rulesets/gitflow-next-lifecycle.json b/.github/rulesets/gitflow-next-lifecycle.json
@@ -0,0 +1,32 @@
+{
+  "id": 16825861,
+  "name": "gitflow-next-lifecycle",
+  "target": "branch",
+  "source_type": "Repository",
+  "source": "RMI/stitch",
+  "enforcement": "active",
+  "conditions": {
+    "ref_name": {
+      "exclude": [],
+      "include": [
+        "refs/heads/next",
+        "refs/heads/hotfix/**"
+      ]
+    }
+  },
+  "rules": [
+    {
+      "type": "creation"
+    },
+    {
+      "type": "deletion"
+    }
+  ],
+  "bypass_actors": [
+    {
+      "actor_id": 2,
+      "actor_type": "RepositoryRole",
+      "bypass_mode": "always"
+    }
+  ]
+}
diff --git a/.github/rulesets/gitflow-next-pr.json b/.github/rulesets/gitflow-next-pr.json
@@ -0,0 +1,33 @@
+{
+  "name": "gitflow-next-pr",
+  "target": "branch",
+  "source_type": "Repository",
+  "source": "RMI/stitch",
+  "enforcement": "active",
+  "conditions": {
+    "ref_name": {
+      "exclude": [],
+      "include": ["refs/heads/next"]
+    }
+  },
+  "rules": [
+    {
+      "type": "non_fast_forward"
+    },
+    {
+      "type": "update"
+    },
+    {
+      "type": "pull_request",
+      "parameters": {
+        "required_approving_review_count": 1,
+        "dismiss_stale_reviews_on_push": true,
+        "required_reviewers": [],
+        "require_code_owner_review": true,
+        "require_last_push_approval": true,
+        "required_review_thread_resolution": true,
+        "allowed_merge_methods": ["merge"]
+      }
+    }
+  ]
+}
diff --git a/.github/rulesets/gitflow-production.json b/.github/rulesets/gitflow-production.json
@@ -0,0 +1,82 @@
+{
+  "name": "gitflow-production",
+  "target": "branch",
+  "source_type": "Repository",
+  "source": "RMI/stitch",
+  "enforcement": "active",
+  "conditions": {
+    "ref_name": {
+      "exclude": [],
+      "include": ["refs/heads/production"]
+    }
+  },
+  "rules": [
+    {
+      "type": "deletion"
+    },
+    {
+      "type": "non_fast_forward"
+    },
+    {
+      "type": "creation"
+    },
+    {
+      "type": "pull_request",
+      "parameters": {
+        "required_approving_review_count": 2,
+        "dismiss_stale_reviews_on_push": true,
+        "required_reviewers": [],
+        "require_code_owner_review": true,
+        "require_last_push_approval": true,
+        "required_review_thread_resolution": true,
+        "allowed_merge_methods": ["merge"]
+      }
+    },
+    {
+      "type": "required_status_checks",
+      "parameters": {
+        "strict_required_status_checks_policy": false,
+        "do_not_enforce_on_create": false,
+        "required_status_checks": [
+
+          {
+            "context": "Linting / Linting (frontend)",
+            "integration_id": 15368
+          },
+          {
+            "context": "Linting / linting (ruff)",
+            "integration_id": 15368
+          },
+          {
+            "context": "Tests / Run Unit Tests (frontend)",
+            "integration_id": 15368
+          },
+          {
+            "context": "Tests / tests (pytest)",
+            "integration_id": 15368
+          },
+          {
+            "context": "Format / formatting (ruff)",
+            "integration_id": 15368
+          },
+          {
+            "context": "Formatting / Format Check (frontend)",
+            "integration_id": 15368
+          },
+          {
+            "context": "Build / Build",
+            "integration_id": 15368
+          },
+          {
+            "context": "Build / Build Frontend",
+            "integration_id": 15368
+          },
+          {
+            "context": "docker compose build / docker compose build",
+            "integration_id": 15368
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/.github/workflows/admin.yml b/.github/workflows/admin.yml
@@ -3,9 +3,12 @@ on:
   pull_request:
     branches:
       - main
+      - next
+      - production
   push:
     branches:
       - main
+      - production
   schedule:
     - cron: "0 3 * * *" # Nightly at 3 AM UTC
   workflow_dispatch:
@@ -23,4 +26,3 @@ jobs:
   pattern-scan:
     name: "Check for forbidden patterns"
     uses: ./.github/workflows/admin-forbidden-patterns.yml
-
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -3,9 +3,12 @@ on:
   pull_request:
     branches:
       - main
+      - next
+      - production
   push:
     branches:
       - main
+      - production
 
 name: Docker Checks
 concurrency:

diff --git a/.github/workflows/node.yml b/.github/workflows/node.yml
@@ -3,9 +3,12 @@ on:
   pull_request:
     branches:
       - main
+      - next
+      - production
   push:
     branches:
       - main
+      - production
 
 name: Node Package Checks
 concurrency:

diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -3,9 +3,12 @@ on:
   pull_request:
     branches:
       - main
+      - next
+      - production
   push:
     branches:
       - main
+      - production
 
 name: Python Package Checks
 concurrency: