From the ecosystem ROADMAP (§5, ref #3696/#85). Done manually on wave-1; rig should do it.
What
At rig init/rig apply, enable the GitHub repo security settings the CI gates depend on, via gh api:
- Dependency Graph + vulnerability alerts (so
dependency-review runs instead of erroring/skipping).
- secret-scanning (where the plan allows).
Why
The new CI gates (dependency-review, etc.) skip or fail on a fresh private repo until these settings are on. Wave-1 rollout had to enable them by hand (e.g. gh api PUT .../vulnerability-alerts). rig should reconcile this like everything else.
Acceptance
rig apply probes and enables Dependency Graph + vuln-alerts (+ secret-scanning) idempotently.rig status/drift reports the security-settings state.- A repo that already has them on is a no-op.
From the ecosystem ROADMAP (§5, ref #3696/#85). Done manually on wave-1; rig should do it.
What
At
rig init/rig apply, enable the GitHub repo security settings the CI gates depend on, viagh api:dependency-reviewruns instead of erroring/skipping).Why
The new CI gates (dependency-review, etc.) skip or fail on a fresh private repo until these settings are on. Wave-1 rollout had to enable them by hand (e.g.
gh api PUT .../vulnerability-alerts). rig should reconcile this like everything else.Acceptance
rig applyprobes and enables Dependency Graph + vuln-alerts (+ secret-scanning) idempotently.rig status/drift reports the security-settings state.