---
title: "Pull Request Governance"
type: concept
tags: ["git", "code-review", "workflow", "delivery-traceability"]
last_updated: 2026-04-25
---

## Definition

Pull Request Governance（PR 治理）是通过标准化 PR 模板、安全审查要求、风险记录和强制审查流程，保护分支合并质量的工作流规范。

## Mandatory PR Scenarios

以下场景的合并**必须**经过 PR review：
- 合并到 `main`
- 合并到 `release/*`
- 大型重构
- 关键基础设施变更
- 认证、授权、基础设施、敏感数据处理相关变更

## PR Template Structure

标准 PR 模板包含：

```markdown
## What does this PR do?
Implements **JIRA-214** by adding the SSO login flow...

## Jira Link
- Ticket: JIRA-214
- Branch: feature/JIRA-214-add-sso-login

## Change Summary
- Add SSO callback controller and provider wiring
- Add regression coverage for expired refresh tokens
- Document the new login setup path

## Risk and Security Review
- Auth flow touched: yes
- Secret handling changed: no
- Rollback plan: revert the branch and disable the provider flag

## Testing
- Unit tests: passed
- Integration tests: passed in staging
- Manual verification: login and logout flow verified in staging
```

## Security Discipline

- **No secrets in PR**：凭证、token、客户数据严禁出现在 PR 标题、描述或 diff 中
- **Explicit validation scope**：明确说明哪些环节经过测试、哪些未经测试
- **Security review mandatory**：认证、授权、基础设施、敏感数据处理变更必须经过安全审查

## Rollback Readiness

每个 PR 必须包含回滚计划，确保回滚操作低风险、低影响。

## Sources
- [[project-management-jira-workflow-steward]]