Convert branch protections to rule sets (#7095)
This commit is contained in:
Trask Stalnaker
GitHub
parent
3e1d9536f8
commit
e47963612e
|
|
@ -5,71 +5,98 @@ Repository settings in addition to what's documented already at
|
|||
|
||||
## General > Pull Requests
|
||||
|
||||
* Allow squash merging > Default to pull request title
|
||||
- Allow squash merging > Default to pull request title
|
||||
|
||||
- Allow auto-merge
|
||||
|
||||
## Actions > General
|
||||
|
||||
* Fork pull request workflows from outside collaborators:
|
||||
- Fork pull request workflows from outside collaborators:
|
||||
"Require approval for first-time contributors who are new to GitHub"
|
||||
|
||||
(To reduce friction for new contributors,
|
||||
as the default is "Require approval for first-time contributors")
|
||||
|
||||
- Workflow permissions
|
||||
- Default permissions granted to the `GITHUB_TOKEN` when running workflows in this repository:
|
||||
Read repository contents and packages permissions
|
||||
- Allow GitHub Actions to create and approve pull requests: UNCHECKED
|
||||
|
||||
## Rules > Rulesets
|
||||
|
||||
### `main` and release branches
|
||||
|
||||
- Targeted branches:
|
||||
- `main`
|
||||
- `release/*`
|
||||
- Branch rules
|
||||
- Restrict deletions: CHECKED
|
||||
- Require linear history: CHECKED
|
||||
- Require a pull request before merging: CHECKED
|
||||
- Required approvals: 1
|
||||
- Require review from Code Owners: CHECKED
|
||||
- Allowed merge methods: Squash
|
||||
- Require status checks to pass
|
||||
- Do not require status checks on creation: CHECKED
|
||||
- Status checks that are required
|
||||
- EasyCLA
|
||||
- `required-status-check`
|
||||
- `gradle-wrapper-validation`
|
||||
- Block force pushes: CHECKED
|
||||
- Require code scanning results: CHECKED
|
||||
- CodeQL
|
||||
- Security alerts: High or higher
|
||||
- Alerts: Errors
|
||||
|
||||
### `benchmarks` branch
|
||||
|
||||
- Targeted branches:
|
||||
- `benchmarks`
|
||||
- Branch rules
|
||||
- Restrict deletions: CHECKED
|
||||
- Require linear history: CHECKED
|
||||
- Block force pushes: CHECKED
|
||||
|
||||
### Old-style release branches
|
||||
|
||||
- Targeted branches:
|
||||
- `v0.*`
|
||||
- `v1.*`
|
||||
- Branch rules
|
||||
- Restrict creations: CHECKED
|
||||
- Restrict updates: CHECKED
|
||||
- Restrict deletions: CHECKED
|
||||
|
||||
### Restrict branch creation
|
||||
|
||||
- Targeted branches
|
||||
- Exclude:
|
||||
- `release/*`
|
||||
- `renovate/**/*`
|
||||
- `otelbot/**/*`
|
||||
- `revert-*/**/*` (these are created when using the GitHub UI to revert a PR)
|
||||
- Restrict creations: CHECKED
|
||||
|
||||
### Restrict updating tags
|
||||
|
||||
- Targeted tags
|
||||
- All tags
|
||||
- Restrict updates: CHECKED
|
||||
- Restrict deletions: CHECKED
|
||||
|
||||
## Branch protections
|
||||
|
||||
The order of branch protection rules
|
||||
[can be important](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule#about-branch-protection-rules).
|
||||
The branch protection rules below should be added before the `**/**` branch protection rule
|
||||
(this may require deleting the `**/**` rule and recreating it at the end).
|
||||
### `main`, `release/*`
|
||||
|
||||
### `main`
|
||||
- Restrict who can push to matching branches: CHECKED
|
||||
|
||||
* Require branches to be up to date before merging: UNCHECKED
|
||||
## Code security and analysis
|
||||
|
||||
(PR jobs take too long, and leaving this unchecked has not been a significant problem)
|
||||
|
||||
* Status checks that are required:
|
||||
|
||||
* EasyCLA
|
||||
* required-status-check
|
||||
|
||||
### `release/*`
|
||||
|
||||
Same settings as above for `main`, except:
|
||||
|
||||
* Restrict pushes that create matching branches: UNCHECKED
|
||||
|
||||
(So that opentelemetrybot can create release branches)
|
||||
|
||||
### `renovate/**/**`, and `opentelemetrybot/*`
|
||||
|
||||
* Require status checks to pass before merging: UNCHECKED
|
||||
|
||||
(So that renovate PRs can be rebased)
|
||||
|
||||
* Restrict who can push to matching branches: UNCHECKED
|
||||
|
||||
(So that bots can create PR branches in this repository)
|
||||
|
||||
* Allow force pushes > Everyone
|
||||
|
||||
(So that renovate PRs can be rebased)
|
||||
|
||||
* Allow deletions: CHECKED
|
||||
|
||||
(So that bot PR branches can be deleted)
|
||||
|
||||
### `benchmarks`
|
||||
|
||||
- Everything UNCHECKED
|
||||
|
||||
(This branch is currently only used for directly pushing benchmarking results from the
|
||||
[overhead benchmark](https://github.com/open-telemetry/opentelemetry-java/actions/workflows/benchmark.yml)
|
||||
job)
|
||||
- Secret scanning: Enabled
|
||||
|
||||
## Secrets and variables > Actions
|
||||
|
||||
* `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
|
||||
* `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
|
||||
* `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
|
||||
* `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)
|
||||
- `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
|
||||
- `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
|
||||
- `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
|
||||
- `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)
|
||||
|
|
|
|||
Loading…
Reference in New Issue