# Change Management Rules # ======================= # Ensures proper version control, approval workflows, and rollback capability. # Critical for maintaining system stability and audit trail. rules: # =================== # VERSION CONTROL # =================== - id: CHANGE-VC-001 name: "Git repository required" description: "All code must be in version control" severity: critical check: type: file_exists paths: - ".git" message: "Git repository required" - id: CHANGE-VC-002 name: "Gitignore configured" description: "Sensitive files must be excluded from version control" severity: high check: type: file_exists paths: - ".gitignore" message: ".gitignore file required" - id: CHANGE-VC-003 name: "Secrets excluded from VCS" description: "Secret files must be in .gitignore" severity: critical check: type: pattern_required paths: - ".gitignore" patterns: - "\\.env" - "\\*\\.pem" - "\\*\\.key" - "secrets" message: "Secret files must be excluded from version control" # =================== # CODE REVIEW # =================== - id: CHANGE-REV-001 name: "Pull request template" description: "PR template ensures consistent review information" severity: medium check: type: file_exists paths: - ".github/PULL_REQUEST_TEMPLATE.md" - "CONTRIBUTING.md" message: "Pull request template recommended" - id: CHANGE-REV-002 name: "Branch protection documentation" description: "Main branch should require reviews" severity: high check: type: documentation message: "Document branch protection rules" - id: CHANGE-REV-003 name: "Code owners defined" description: "Critical paths should have designated owners" severity: medium check: type: file_exists paths: - ".github/CODEOWNERS" - "CODEOWNERS" message: "Consider defining code owners for critical paths" # =================== # CI/CD PIPELINE # =================== - id: CHANGE-CI-001 name: "Automated testing in CI" description: "Tests must run automatically on changes" severity: high check: type: file_exists paths: - ".github/workflows/ci.yml" - ".github/workflows/test.yml" - ".gitea/workflows/*.yml" message: "CI workflow for automated testing required" - id: CHANGE-CI-002 name: "Security scanning in CI" description: "Security scans should run in CI pipeline" severity: high check: type: pattern_recommended paths: - ".github/workflows/*.yml" - ".gitea/workflows/*.yml" patterns: - "security|bandit|safety|snyk|trivy" message: "Consider security scanning in CI pipeline" - id: CHANGE-CI-003 name: "Linting and code quality" description: "Code quality checks should run in CI" severity: medium check: type: pattern_required paths: - ".github/workflows/*.yml" - ".gitea/workflows/*.yml" patterns: - "ruff|flake8|pylint|mypy|lint" message: "Code quality checks required in CI" # =================== # DEPLOYMENT # =================== - id: CHANGE-DEP-001 name: "Environment separation" description: "Development, staging, and production must be separate" severity: high check: type: pattern_required paths: - "app/core/config.py" - "app/core/environment.py" patterns: - "ENVIRONMENT|development|staging|production" message: "Environment separation required" - id: CHANGE-DEP-002 name: "Deployment automation" description: "Deployments should be automated and repeatable" severity: medium check: type: file_exists paths: - ".github/workflows/release.yml" - ".github/workflows/deploy.yml" - ".gitea/workflows/*.yml" - "Dockerfile" message: "Automated deployment process recommended" - id: CHANGE-DEP-003 name: "Infrastructure as code" description: "Infrastructure should be version controlled" severity: medium check: type: file_exists paths: - "docker-compose.yml" - "Dockerfile" - "terraform/" - "kubernetes/" message: "Infrastructure as code recommended" # =================== # ROLLBACK CAPABILITY # =================== - id: CHANGE-ROLL-001 name: "Database migration versioning" description: "Database changes must be versioned and reversible" severity: high check: type: file_exists paths: - "alembic/" - "alembic.ini" message: "Database migration tool required" - id: CHANGE-ROLL-002 name: "Migration downgrade support" description: "Database migrations should support rollback" severity: medium check: type: pattern_required paths: - "alembic/versions/*.py" patterns: - "def downgrade" message: "Migration downgrade functions required" - id: CHANGE-ROLL-003 name: "Container versioning" description: "Container images should be versioned" severity: medium check: type: pattern_recommended paths: - "Dockerfile" - ".github/workflows/*.yml" - ".gitea/workflows/*.yml" patterns: - "tag|version|:v" message: "Container image versioning recommended" # =================== # CHANGE DOCUMENTATION # =================== - id: CHANGE-DOC-001 name: "Changelog maintained" description: "Changes should be documented in changelog" severity: medium check: type: file_exists paths: - "CHANGELOG.md" - "CHANGES.md" - "HISTORY.md" message: "Consider maintaining a changelog" - id: CHANGE-DOC-002 name: "Release documentation" description: "Releases should be documented" severity: low check: type: pattern_recommended paths: - ".github/workflows/release.yml" patterns: - "release|changelog|notes" message: "Consider automated release notes"