pr-policy-templates
Enforce change quality via PR templates, required reviews, metadata ownership, and automated checks. NOT for branching model selection.
Best use case
pr-policy-templates is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Enforce change quality via PR templates, required reviews, metadata ownership, and automated checks. NOT for branching model selection.
Teams using pr-policy-templates should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/pr-policy-templates/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How pr-policy-templates Compares
| Feature / Agent | pr-policy-templates | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Enforce change quality via PR templates, required reviews, metadata ownership, and automated checks. NOT for branching model selection.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Pull Request Policy Templates A consistent PR template + CODEOWNERS + required checks shifts quality left. This skill defines a template with sections for scope, test evidence, deploy plan, and risk; a CODEOWNERS matching metadata types to owning teams; and branch-protection rules requiring status checks (validation deploy, test run, scan). ## Adoption Signals Teams >3 people; regulated or production-critical repos. - Required when audit evidence (who reviewed, when, against what checklist) must be derivable from PR history. - Required when a CODEOWNERS rule must enforce architect sign-off for irreversible metadata changes. ## Recommended Workflow 1. Write `.github/pull_request_template.md` with Scope, Test Evidence, Deploy Plan, Rollback, and Risk sections. 2. Create `.github/CODEOWNERS` mapping `force-app/main/default/flows/` to @flow-team, `classes/` to @apex-team, etc. 3. Enable branch protection: require PR + 1 review + all required checks green + CODEOWNERS approval. 4. Wire required status checks: validation deploy, Apex test run ≥75%, PMD/Checkmarx scan. 5. Quarterly: audit merged PRs; measure cycle time and revert rate; tune policy. ## Key Considerations - CODEOWNERS with @team handles scales better than individual usernames. - Coverage can be blocker or soft warning — pick one and enforce consistently. - Squash-merge keeps history clean; but preserve deploy traceability with merge commits. - Template must be ≤1 screen — long templates get ignored. ## Worked Examples (see `references/examples.md`) - *CODEOWNERS mapping* — Flow changes route to flow team - *Required check: validation deploy* — Prevent 'works in dev' surprises ## Common Gotchas (see `references/gotchas.md`) - **CODEOWNERS without team** — User leaves; PRs stuck. - **Template too long** — Authors delete it. - **Coverage check both warn+block inconsistent** — Confusion. ## Top LLM Anti-Patterns (full list in `references/llm-anti-patterns.md`) - Optional PR template (unused) - CODEOWNERS with personal accounts - No validation deploy gate ## Official Sources Used - Salesforce DX Developer Guide — https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/ - Unlocked Packaging — https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_dev2gp.htm - SF CLI — https://developer.salesforce.com/docs/atlas.en-us.sfdx_cli_reference.meta/sfdx_cli_reference/ - DevOps Center — https://help.salesforce.com/s/articleView?id=sf.devops_center_overview.htm - Scratch Org Snapshots — https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_scratch_orgs_snapshots.htm - sfdx-hardis — https://sfdx-hardis.cloudity.com/
Related Skills
sandbox-refresh-and-templates
Sandbox refresh cycles, sandbox templates, post-refresh automation via the SandboxPostCopy Apex interface, and data handling during refresh. NOT for sandbox type selection (use sandbox-strategy).
fsl-service-report-templates
Use this skill when designing, generating, or troubleshooting Field Service service report templates — covers the createServiceReport REST action (API v40.0+), ServiceReportLayout configuration, DigitalSignature capture, Document Builder (Winter '25+) with conditional logic via Flow, and PDF storage as ContentDocument/ContentVersion. NOT for quote templates, custom Visualforce pages, or Experience Cloud document generation.
prompt-builder-templates
Use when creating, reviewing, or troubleshooting Prompt Builder templates (Field Generation, Record Summary, Sales Email, or Flex types), including grounding with merge fields, Flow, or Apex. Trigger keywords: prompt template, Prompt Builder, field generation, record summary, sales email template, flex template, grounding, merge fields, LLM template, Einstein generative AI. NOT for agent topic instructions, Copilot action configuration, or Data Cloud segment activation.
quotes-and-quote-templates
Use when configuring standard Salesforce Quotes, building or customizing quote templates for PDF generation, emailing quotes to customers, syncing quotes to opportunity products, or setting up discount approval processes on quotes. Triggers: 'create quote', 'quote template', 'quote PDF', 'email quote', 'quote sync', 'synced quote', 'discount approval', 'quote line items'. NOT for CPQ (Salesforce Revenue Cloud / SBQQ) quote configuration, quote line scheduling, or order management.
email-templates-and-alerts
Use when designing, reviewing, or troubleshooting Salesforce email templates, email alerts, and declarative notification design. Triggers: 'Lightning Email Template', 'email alert', 'merge field', 'org-wide email', 'too many emails', 'mass email limit'. NOT for marketing automation or custom Apex email services.
cpq-quote-templates
Use when designing or troubleshooting Salesforce CPQ (SBQQ) quote templates: building template sections, configuring line columns, conditionally showing sections, generating branded PDFs, or handling multi-language output. Triggers: 'CPQ quote template', 'SBQQ template', 'CPQ PDF', 'line columns', 'quote template sections', 'conditional section', 'CPQ quote document'. NOT for standard Salesforce quote templates (Setup > Quote Templates), Visualforce-only PDF customization, or CPQ pricing rules and price books.
xss-and-injection-prevention
Use when writing or reviewing Visualforce pages, Apex controllers, or LWC components that output user-supplied data, build dynamic queries, or construct HTTP responses. Triggers: 'XSS in Visualforce', 'SOQL injection vulnerability', 'how to encode output in Apex', 'JSENCODE Visualforce', 'open redirect prevention'. NOT for Apex CRUD/FLS enforcement (use soql-security or apex-crud-and-fls), NOT for Shield encryption (use shield-encryption-key-management), NOT for AppExchange security review process (use secure-coding-review-checklist).
visualforce-security-and-modernization
Use when hardening or modernizing legacy Visualforce pages — covers the platform CSRF token model and when disabling it is a security regression, view state encryption guarantees and the 170 KB ceiling, FLS/CRUD enforcement gaps on `<apex:outputField>` and on getters that return sObjects, `<apex:includeScript>` interaction with the org Content Security Policy, hosting LWC inside a VF page via `lightning:container` / `lightning-out`, and the retire-vs-harden-vs-leave-alone decision for an inventory of legacy pages. Triggers: 'should I rewrite this Visualforce page in LWC', 'CSRF protection disabled on Visualforce page is that safe', 'community user sees a field they should not on a Visualforce page', 'view state encryption is that enough for sensitive data', 'how do I host an LWC inside a Visualforce page', 'apex:dynamicComponent and apex:actionFunction safe to keep'. NOT for greenfield Visualforce architecture (use apex/visualforce-fundamentals — controller types, view state pattern selection, PDF rendering); NOT for Visualforce email template authoring (use apex/visualforce-email-templates if/when that skill is authored); NOT for general Apex security review across triggers and async (use apex/soql-security and security/secure-coding-review-checklist).
transaction-security-policies
Transaction Security policy creation and configuration: condition builder, enhanced policies, enforcement actions (block, MFA, notification, end session), real-time monitoring mode, and policy troubleshooting. NOT for Event Monitoring log analysis or Shield Event Monitoring setup (use event-monitoring). NOT for Apex testing or debug-log analysis.
sso-saml-troubleshooting
Diagnosing broken SAML SSO into Salesforce — IdP-initiated vs SP-initiated flows, signing-certificate validity / expiry, NameID format mismatches, RelayState handling, audience / entityId / issuer mismatches, clock skew, the SAML Assertion Validator in Setup, the Login History debug log, and the My Domain prerequisite for SSO. Covers the standard diagnostic loop: read the SAML response, identify which check failed, fix at the IdP or SP. NOT for OAuth / OpenID Connect SSO (see security/oauth-openid-troubleshooting), NOT for setting up SSO from scratch (see security/sso-saml-setup).
shield-kms-byok-setup
Configure Shield Platform Encryption with customer-supplied (BYOK) or customer-held (Cache-Only Key Service) tenant secrets, rotate them, and recover. NOT for Classic Encryption or field masking.
shield-event-log-retention-strategy
Use when designing Salesforce Shield Event Monitoring retention, SIEM routing, and storage-tier strategy — which event types to keep, for how long, where, and how to answer audit queries across hot/warm/cold tiers. Triggers: 'shield event log retention', 'route event monitoring to splunk', 'how long to keep login history', 'siem salesforce integration', 'event monitoring storage tier'. NOT for enabling Shield (see salesforce-shield-deployment).