ci(governance): remove Require Human Approval gate entirely

[chitcommit]

Summary

• Removes the entire "Require Human Approval" step from .github/workflows/governance.yml, superseding the bot-allowlist carve-out shipped in ci(governance): bot-allowlist for low-risk dep/CI chore PRs #131.
• Solo-operator repo: gating every PR on a human-approving review created friction with no real safety benefit.

Coverage that remains

• CodeRabbit AI review on every PR
• Branch protection rules on main
• Dependency audit gate (governance-gates.yml + security-gates.yml)
• Protected-file warning step (still present in governance.yml)
• Portfolio Hardening Check (SECURITY.md, lockfile, CODEOWNERS, TY/VY/RY eligibility)

If/when the repo grows beyond a single maintainer, reinstate via PR.

Test plan

• Governance workflow runs and passes without the human-approval step
• Other gates (audit, hardening, governance-gates) still fire
• Auto-merge proceeds once required checks are green

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

Summary by CodeRabbit

• Chores
  • Streamlined the pull request approval workflow by removing a dedicated human approval step. The approval process now relies on existing code review, branch protection, and dependency audit gates to maintain review standards.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[github-actions]

@coderabbitai review

Please evaluate:

• Security implications
• Credential exposure risk
• Dependency supply chain concerns
• Breaking API changes

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f0081780-fdcc-4552-bc00-9836990bcc96

📥 Commits

Reviewing files that changed from the base of the PR and between 4611b5a and 5738b6e.

📒 Files selected for processing (1)

• .github/workflows/governance.yml

---

📝 Walkthrough

Walkthrough

This PR simplifies the governance workflow by removing the Require Human Approval enforcement step, which validated PR requirements through a actions/github-script automation. The step is replaced with comments documenting that code review policy, branch protection, and the dependency-audit gate now provide the necessary governance surface area.

Changes

Governance Gate Simplification

Layer / File(s)	Summary
Removal of human-approval enforcement step .github/workflows/governance.yml	The scripted Require Human Approval step (87 lines) that enforced human review requirements is removed and replaced with inline comments explaining that other governance controls (repo code review, branch protection, dependency-audit gate) now cover the surface area.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• chittyapps/chittyfinance#95: Likely introduced the human-approval enforcement step that is now being removed in this PR.

Poem

A gate once guarded with scripting so bright,
Now yielded to simpler controls' might;
Branch rules and reviews keep the CI on track,
One step removed—no functionality we lack! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: removing the 'Require Human Approval' gate from the CI governance workflow, which aligns directly with the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/remove-human-approval-gate

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review — PR #132: Remove Require Human Approval Gate

Overview

This PR removes 87 lines of human-approval enforcement logic from `.github/workflows/governance.yml`, replacing them with a two-line comment. The stated rationale is that the repo is solo-operated, making the gate pure friction.

The logic is simple and the code quality is fine — the main questions are entirely governance and risk.

---

What's Removed

The deleted step did several things worth noting before they disappear:

• Enforced at least one non-bot approval for non-allowlisted PRs
• Maintained a bot allowlist (`dependabot[bot]`, `renovate[bot]`, `chitcommit`) that could waive the approval only when: author + label/title + file scope + all other checks green all held simultaneously
• Blocked merges if any reviewer had left `CHANGES_REQUESTED`
• Logged diagnostic output on every run (reviewer state, file check, allowlist match)

---

Concerns

1. Trust escalation by the allowlisted account

`chitcommit` appears in `ALLOWED_AUTHORS` in the code being deleted — it was explicitly carved out as a low-risk bot. This same account is now the author of a PR that removes its own governance gate. Even if this is intentional, it's worth flagging: the removed step would not have allowed this specific PR to bypass review anyway (title prefix `ci(governance):` doesn't match `chore(deps):` or `chore(ci):`, and `.github/workflows/governance.yml` isn't in `ALLOWED_FILES`), so the old gate would have required a human here. The removal itself is the bypass.

2. Branch protection — is human review still enforced at the GitHub level?

The PR body says branch protection on `main` remains. If those rules require at least one approving review, the deletion is safe — GitHub enforces it outside CI. If branch protection does not require a human review (only status checks), then after this merges there is no path that requires any human to ever approve a PR. Please confirm branch protection settings before merging.

3. No rollback trigger / degradation path

The PR body says "if/when the repo grows beyond a single maintainer, reinstate via PR." That depends entirely on someone remembering. Consider adding a note in SECURITY.md or AGENTS.md alongside the branch protection configuration so the coupling is discoverable.

4. Forensic log loss

The deleted step emitted structured `core.info` lines (author, labels, file list, check results, approval count) on every run. That diagnostic output was useful for auditing why a PR merged. The replacement comment produces nothing. If you want to keep an audit trail, even a minimal log step would help.

---

What Still Holds Up

• CodeRabbit review fires on every PR ✓
• `governance-gates.yml` + `security-gates.yml` dependency audit ✓
• Protected-file warning step remains in this same file ✓
• Portfolio Hardening Check (lockfile, CODEOWNERS, SECURITY.md) ✓

---

Verdict

The change is internally consistent and the simplification is defensible for a solo repo. The one blocker worth verifying before merge:

Confirm that GitHub branch protection on `main` requires at least one human approving review, or explicitly accept the risk that no human review is ever required.

If branch protection covers it: approve and merge. If it doesn't: consider either adding that protection rule or reinstating a lighter-weight version of this gate (e.g., fail if PR author is a human and there are zero approvals, without the allowlist complexity).

---

Review generated by Claude Sonnet 4.6 via the `/review` skill.