feat(governance): weekly required-job audit

[WomB0ComB0]

Summary

Adds a weekly scheduled workflow that scans every non-archived repo under resq-software/ and flags any repo whose default branch lacks a CI job emitting the required status-check context required by the default-branch-baseline ruleset (id 15191038).

Why

The ruleset requires a status context literally named required. Any consumer repo whose CI doesn't have such a job will block every PR in "Expected — Waiting for status to be reported" state. This happened to resq-software/npm (fixed in resq-software/npm#46) — the audit catches future drift before it hits.

How it works

• Trigger: schedule: '0 8 * * MON' (weekly, Monday 08:00 UTC) + workflow_dispatch (manual).
• Scan:
  1. Fetches the ruleset's conditions.repository_name.exclude list so explicitly-exempt repos aren't false-flagged.
  2. Enumerates every non-archived repo in the org.
  3. Reads every .github/workflows/*.yml on the default branch; looks for a top-level required: job key OR a name: required line.
  4. Classifies each repo as ok / exempt / missing / unreachable.
• Reporting: if any "missing" repos are found, opens a tracking issue on this repo (or comments on an existing open one) with the list, the reference fix, and the ruleset-exclusion alternative. Does NOT fail the workflow run.
• Token: prefers SYNC_TOKEN (covers private repos) with GITHUB_TOKEN fallback (public only). Private repos appear as "unreachable" when SYNC_TOKEN isn't set — informational, not flagged as a gap.

Blast radius

• ~4 runs/month on ubuntu-latest. Well under GitHub Team's Actions-minutes budget.
• permissions: contents: read, issues: write — no push/deploy.
• step-security/harden-runner in audit mode; consistent with the rest of the org's workflows.

Test plan

• Merge, then trigger via workflow_dispatch to confirm the scan logic runs clean.
• Expected state: ok=12, exempt=1 (crates, until #71 merges), gaps=0.
• To test the failure path: temporarily remove required.yml from a test repo → next scheduled run should open an issue listing it.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Warning

Rate limit exceeded

@WomB0ComB0 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 29 minutes and 28 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 29 minutes and 28 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6e0f3c6a-66f8-4fcb-9a9b-160f81bc4ecc

📥 Commits

Reviewing files that changed from the base of the PR and between f4b51a6 and 2bd92fc.

📒 Files selected for processing (2)

• .github/workflows/audit-required-job.yml
• .github/workflows/required-gate.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/add-required-job-audit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}