Skip to content

GITHUB_TRIPLE_LOCK: enforce execution lock at protected branch and release boundary #35

New issue
New issue
Open
#37
Open
GITHUB_TRIPLE_LOCK: enforce execution lock at protected branch and release boundary#35
#37
Assignees
copilot-swe-agentLalaSkye
Labels
gate-reviewRequires human gate review before proceedingsecuritySecurity and access control enforcement
@LalaSkye

Description

@LalaSkye
LalaSkye
opened on Mar 8, 2026

GITHUB_TRIPLE_LOCK_INVARIANT v0.1 — LOCK 3: EXECUTION

Part of: GITHUB_TRIPLE_LOCK_INVARIANT
Related: #33 (LOCK 1: Authority), #34 (LOCK 2: Integrity)
Source: Security audit by Comet (Perplexity browser agent), 2026-03-08

Question this lock answers

Are the conditions for irreversible state change satisfied right now?

Required checks

  • Required status checks pass before merge
  • CI matrix matches branch protection requirements exactly
  • Tests for governance primitives executed and passing
  • Merge only from protected branch
  • No bypassing branch protections ("Do not allow bypassing" enabled)
  • Release artefact built from reviewed commit SHA
  • Decision log / changelog entry present for governance-sensitive changes

Audit issues addressed

CI matrix mismatch:

  • Branch protection requires tests (3.10), tests (3.11), tests (3.12)
  • CI workflow matrix only runs Python 3.11 and 3.12
  • tests (3.10) may never run, creating a phantom gate or permanent block
  • Fix: Align CI matrix with branch protection required checks

Admin bypass:

  • "Do not allow bypassing the above settings" is currently OFF
  • Admin can bypass all branch protections including required reviews and status checks
  • Fix: Enable "Do not allow bypassing"

Missing primitive tests:

  • No test_stop_machine.py or test_authority_gate.py in constraint-workshop
  • Core governance primitives have zero test coverage
  • Governance primitives can change without test evidence
  • Fix: Add property-based tests proving immutability, monotone-red, fail-closed

stop-machine repo unprotected:

  • Zero branch protection rules configured
  • Force-push to main possible
  • No required reviews or status checks
  • Fix: Add matching branch protection rules

Concrete actions

  1. Enable "Do not allow bypassing the above settings" on constraint-workshop
  2. Fix CI matrix: align Python versions with branch protection required checks
  3. Add test_stop_machine.py with property-based tests (immutability, monotone-red, no-reset-from-red)
  4. Add test_authority_gate.py with property-based tests (frozen, fail-closed, Evidence boundary)
  5. Add branch protection to stop-machine repo (require PR, reviews, status checks)
  6. Add release workflow that only builds from reviewed, protected-branch commit SHAs

Fail-closed rule for governance paths

if path in {
  .github/workflows/**,
  stop_machine/**,
  authority_gate/**,
  decision_record/**,
  rulesets/**,
  policy/**,
  schemas/**
}
then:
  require triple lock (all three issues #33, #34, #35)
else:
  standard review path

GITHUB_TRIPLE_LOCK_INVARIANT — one-line compile

A governance-sensitive change may merge or release only when: (1) actor authority is valid and in-scope, (2) change integrity is exact, signed, schema-valid, and tamper-evident, and (3) all protected-branch execution conditions pass without bypass. If any lock fails, the repository remains in HOLD.

Metadata

Metadata

Assignees

Labels

gate-reviewRequires human gate review before proceedingsecuritySecurity and access control enforcement

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions