This public repository is the organization-level source of truth for community standards, issue and pull-request templates, and reusable GitHub Actions workflows. Internal access matrices, administrative procedures, and the full team workflow manual are maintained in the private HMG-Documents repository.
profile/— public organization profile..github/ISSUE_TEMPLATE/— default issue forms inherited by repositories that do not define their own issue-template directory..github/workflows/— reusable organization workflows, pinned required gates, and protected cross-repository promotion orchestration.workflow-templates/— starter workflows shown to HMG-AI repositories.governance/— declarative public labels and pinned commit-policy tooling.
Changes to governance must use a pull request, be reviewed by the governance CODEOWNERS, and preserve least-privilege permissions. Never commit credentials, personal access tokens, private keys, customer data, or production configuration here.
The organization required quality workflow applies a read-only security policy to every added, copied, modified, renamed, or type-changed root workflow in a pull request or merge group. The checker itself is loaded from the exact immutable commit identified by github.workflow_sha; it never executes policy code from the candidate branch and checks out both repositories without persisted credentials. Changed workflows must use explicit least-privilege permissions, immutable action and container references, safe checkout settings, and must not directly interpolate untrusted event values into executable scripts or attempt an obvious direct write to main. Pull-request-like events cannot receive write permissions or custom checkout credentials and must use an approved literal GitHub-hosted runner label; dynamic expressions, arrays, and runner groups fail closed. This is a transitional changed-workflows-only gate so existing workflow debt does not block unrelated changes. The organization ruleset remains the authoritative control against direct default-branch writes; after the existing debt is remediated, this policy will move to repository-wide enforcement.
Automated cross-repository publication must use a target-repository branch and pull request. The HMG public release contract is centralized in reusable-hmg-public-promotion.yml; it never writes HMG-public/main, never submits a review or acts as a bypass actor, and may register rebase auto-merge after reconciling the deterministic branch and pull request. GitHub completes that merge only after every target rule and independent human review is satisfied. The workflow downloads the exact 17-asset output of a successful Build public release artifacts (no publish) run on protected HMG main, independently verifies the source-bound release set, and starts the candidate from protected HMG-public/main. The promotion changes no product source, website, or npm content; its only repository change is release-provenance/v<version>.json, a secret-free audit record that binds the HMG source SHA, Actions run, artifact name, and aggregate asset digest. An isolated job with no repository or Actions permissions signs the canonical provenance statement, and the target-scoped write token is exposed only while reconciling the deterministic 17-asset staging release and promotion pull request.
Every automated promotion commit carries exactly eight governed trailers: source repository, stable source tag, source SHA, successful source workflow run, aggregate asset digest, candidate Git tree, reviewed Ed25519 key ID, and detached Ed25519 signature. reusable-hmg-public-quality.yml is the read-only, centrally governed build, drift, leak, stable-version, event-binding, candidate-tree, and signature gate. It shellchecks the target-owned release scripts and runs their classifier and publisher policy fixtures for every candidate, including ordinary governance pull requests. It also classifies HMG trailers across the immutable event commit range, so a merge-queue ref cannot bypass provenance checks; a governed merge group must contain exactly one complete promotion commit and its event-head tree must still equal the signed tree. It deliberately cannot read the write-visible staging draft and receives no write credential. Before merge it proves the final vMAJOR.MINOR.PATCH tag is absent; after merge, the environment-protected target publisher independently verifies the signed commit and staging bytes, creates the final tag once, publishes the release, and relies on immutable-release plus tag rules to prevent mutation. Production callers and required-workflow rulesets must pin these files to reviewed full commit SHAs. Until the bootstrap pull requests are independently reviewed and merged, the exact-SHA HMG caller and HMG-public-specific required-workflow wrapper/ruleset remain intentionally absent and the replacement path remains pending_not_active.
Organization members can read the canonical team guide in HMG-Documents/github-governance.