feat: solo-maintainer auto-approve as first-class pattern

[CybotTM]

Summary

• New template pr-quality.yml.template: auto-approves PRs from repo collaborators (write/admin permission) so required_approving_review_count >= 1 is satisfied without manual review
• Restructured security-config.md: all best practices are now first-class sections (Least-Privilege Permissions, Branch Protection, etc.); OpenSSF Scorecard is a quick-reference table at the bottom — not the organizing principle
• Prominent in auto-merge-guide.md: "Solo Maintainer" section at the very top with branch protection settings, approval matrix, and bootstrap note
• Updated SKILL.md: added to "When to Use", Quick Diagnostics, Quick Reference table, and asset template table

Motivation

The solo-maintainer auto-approve pattern was buried in security-config.md under a Scorecard-specific heading, making it hard to discover. It's a general requirement for any solo-developer project, not a Scorecard optimization.

Test plan

• Verify pr-quality.yml.template renders correctly
• Check that SKILL.md mentions solo-maintainer in Quick Diagnostics
• Confirm security-config.md Scorecard section is at the bottom

[gemini-code-assist]

Summary of Changes

Hello @CybotTM, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors and enhances documentation and tooling around auto-approval mechanisms, particularly for solo-maintained projects. It introduces a new GitHub Actions workflow template for automatic PR approval by trusted collaborators, making it easier to meet branch protection requirements like required_approving_review_count. The changes also improve the discoverability and clarity of this pattern by integrating it more deeply into relevant guides and restructuring security documentation to emphasize best practices over specific Scorecard optimizations.

Highlights

• New Auto-Approval Workflow Template: Introduced a new pr-quality.yml.template to enable auto-approval for PRs from repository collaborators (write/admin permissions), satisfying required_approving_review_count >= 1 without manual review.
• Restructured Security Configuration Guide: Restructured security-config.md to prioritize general security best practices (Least-Privilege Permissions, Branch Protection) as first-class sections, moving the OpenSSF Scorecard quick-reference to the bottom for better clarity and discoverability.
• Enhanced Auto-Merge Guide for Solo Maintainers: Elevated the 'Solo Maintainer' auto-approve pattern in auto-merge-guide.md by placing it prominently at the top, including detailed branch protection settings, an approval matrix, and a bootstrap note.
• Updated SKILL.md with Auto-Approve Guidance: Updated SKILL.md to include solo-maintainer auto-approve in 'When to Use', Quick Diagnostics, Quick Reference table, and the asset template table, making the feature more discoverable.

Changelog

• skills/github-project/SKILL.md
  • Added 'Solo maintainer needs auto-approve for their own PRs' to the 'When to Use' section.
  • Introduced a new 'Solo Maintainer: PRs Stuck on REVIEW_REQUIRED' section with guidance on using pr-quality.yml.template.
  • Updated the 'Auto-merge troubleshooting' entry in the Quick Reference table to 'Auto-approve + auto-merge (solo maintainer, bots)'.
  • Added pr-quality.yml.template to the asset template table.
• skills/github-project/assets/pr-quality.yml.template
  • Added a new GitHub Actions workflow template that auto-approves pull requests from repository collaborators with admin or write permissions using pull_request_target.
• skills/github-project/references/auto-merge-guide.md
  • Renamed the guide title to 'Auto-merge & Auto-approve Guide'.
  • Added a comprehensive 'Solo Maintainer: Auto-approve via pr-quality.yml' section, detailing its purpose, how it works, template usage, branch protection settings, and an approval matrix.
  • Included a 'Bootstrap note' for initial workflow setup.
• skills/github-project/references/security-config.md
  • Updated the document title and introductory description to reflect a broader focus on repository security best practices.
  • Renamed 'OpenSSF Scorecard: Token-Permissions' to 'Least-Privilege Workflow Permissions' and clarified the guidance.
  • Updated comments regarding workflow-level write permissions.
  • Renamed 'Branch-Protection for Scorecard (Solo Maintainer)' to 'Branch Protection: Required Reviews' and generalized the guidance for all projects, with specific notes for solo maintainers and Scorecard.
  • Removed the gh api example for rulesets, as it is now covered in auto-merge-guide.md.
  • Added a new 'OpenSSF Scorecard Quick Reference' table at the end of the document.

Activity

• No human activity (comments, reviews, etc.) has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new pattern for solo-maintainer auto-approval of pull requests. It adds a new workflow template pr-quality.yml.template and updates several documentation files to explain the pattern and restructure security guidance. The changes are well-documented and improve the project's guidance. I've found one high-severity issue in the new workflow template where it doesn't follow the least-privilege principle for permissions, which is also being promoted in the documentation changes within this same PR. My review includes a suggestion to fix this.