chore: only accept deployment from tmp branches protected by rulesets (#1481)

tschaffter · web-flow · commit db2c4ba28ad4 · 2025-10-10T09:47:52.000-07:00
## Description Further restrict the branches that can trigger a BixArena deployment during the IaC development phase to only those protected by GitHub rulesets. Currently, these rulesets allow only Sage monorepo administrators to create or modify branches that match the newly proposed branch naming pattern. This PR addresses this [comment](https://github.com/Sage-Bionetworks-IT/organizations-infra/pull/1480/files#r2415219248). <img width="790" height="358" alt="image" src="https://github.com/user-attachments/assets/c3ac5e96-e50a-43e7-b820-1340caeb2124" /> Once the IaC and GitHub workflows are complete, and we can ensure that only authorized events and users can trigger deployments, a new PR will be opened to add main back to the list of branches allowed to trigger a deployment. Cc: @zaro0508
diff --git a/org-formation/650-identity-providers/_tasks.yaml b/org-formation/650-identity-providers/_tasks.yaml
@@ -933,7 +933,7 @@ GithubOidcBixArenaInfra:
     GitHubOrg: "Sage-Bionetworks"
     Repositories:
       - name: "sage-monorepo"
-        branches: ["main","prod","infra/test-bixarena-infra-workflow"]
+        branches: ["infra/bixarena/*"]
   DefaultOrganizationBinding:
     Account:
       - !Ref BixArenaProdAccount
