This public repository is the organization-level source of truth for community standards, issue and pull-request templates, and reusable GitHub Actions workflows. Internal access matrices, administrative procedures, and the full team workflow manual are maintained in the private HMG-Documents repository.
profile/— public organization profile..github/ISSUE_TEMPLATE/— default issue forms inherited by repositories that do not define their own issue-template directory..github/workflows/— reusable organization workflows, pinned required gates, and protected cross-repository promotion orchestration.workflow-templates/— starter workflows shown to HMG-AI repositories.governance/— declarative public labels and pinned commit-policy tooling.
Changes to governance must use a pull request, be reviewed by the governance CODEOWNERS, and preserve least-privilege permissions. Never commit credentials, personal access tokens, private keys, customer data, or production configuration here.
The organization required quality workflow applies a read-only security policy to every added, copied, modified, renamed, or type-changed root workflow in a pull request or merge group. The checker itself is loaded from the exact immutable commit identified by github.workflow_sha; it never executes policy code from the candidate branch and checks out both repositories without persisted credentials. Changed workflows must use explicit least-privilege permissions, immutable action and container references, safe checkout settings, and must not directly interpolate untrusted event values into executable scripts or attempt an obvious direct write to main. Pull-request-like events cannot receive write permissions or custom checkout credentials and must use an approved literal GitHub-hosted runner label; dynamic expressions, arrays, and runner groups fail closed. This is a transitional changed-workflows-only gate so existing workflow debt does not block unrelated changes. The organization ruleset remains the authoritative control against direct default-branch writes; after the existing debt is remediated, this policy will move to repository-wide enforcement.
Automated cross-repository publication must use a target-repository branch and pull request. The HMG public release contract is centralized in reusable-hmg-public-promotion.yml; it never writes HMG-public/main, never submits a review or acts as a bypass actor, and may register rebase auto-merge after reconciling the deterministic branch and pull request. GitHub completes that merge only after every target rule and independent human review is satisfied. The workflow downloads the exact 17-asset output of a successful Build public release artifacts (no publish) run on protected HMG main, independently verifies the source-bound release set, and starts the candidate from protected HMG-public/main. The same deterministic candidate mirrors that exact source SHA's reviewed export/ tree and adds release-provenance/v<version>.json, a secret-free audit record that binds the HMG source SHA, Actions run, artifact name, aggregate asset digest, and immutable target base SHA. Target-owned .github policy, commitlint.config.mjs, and all historical provenance records are excluded from the source mirror and must remain unchanged. A pre-publication recovery may deterministically replace only the same version's provenance record; it never needs a cleanup pull request. An isolated job with no repository or Actions permissions signs the full candidate tree, and the target-scoped write token is exposed only while reconciling the deterministic 17-asset staging release and promotion pull request. An unchanged retry reuses the same branch commit and approval; after a v2 promotion merges, publisher retries resume from that approved commit without a new pull request. One additional reviewed promotion is allowed only to migrate an exact, unpublished legacy v1 receipt whose source and asset digest still match and whose sole earlier promotion PR merged.
Every automated promotion commit carries exactly eight governed trailers: source repository, stable source tag, source SHA, successful source workflow run, aggregate asset digest, candidate Git tree, reviewed Ed25519 key ID, and detached Ed25519 signature. reusable-hmg-public-quality.yml is the read-only, centrally governed build, drift, leak, stable-version, event-binding, candidate-tree, and signature gate. required-hmg-public-quality.yml is its repository-specific required-workflow wrapper and calls the reusable workflow from the same immutable organization commit. It must be attached by a dedicated organization ruleset whose repository target includes only HMG-public and whose workflow reference is pinned to a reviewed full SHA; the generic organization quality ruleset remains separate and unchanged. The gate shellchecks the target-owned release scripts and runs their classifier and publisher policy fixtures for every candidate, including ordinary governance pull requests. It also classifies HMG trailers across the immutable event commit range, so a merge-queue ref cannot bypass provenance checks; a governed merge group must contain exactly one complete promotion commit and its event-head tree must still equal the signed tree. It deliberately cannot read the write-visible staging draft and receives no write credential. Before merge it proves the final vMAJOR.MINOR.PATCH tag is absent; after merge, the environment-protected target publisher independently verifies the signed commit and staging bytes, creates the final tag once, publishes the release, and relies on immutable-release plus tag rules to prevent mutation. Production callers and required-workflow rulesets must pin these files to reviewed full commit SHAs.
Organization members can read the canonical team guide in HMG-Documents/github-governance.