Add support for branch rulesets in compliance checks

[Copilot]

Overview

This PR adds support for GitHub branch rulesets to the repo-policy-compliance application, resolving issue #314. The application can now validate branch protection configured through both classic branch protection and the newer rulesets API.

Problem

Previously, the application only supported checking classic branch protection. When users configured branch protection using rulesets (the newer GitHub feature), the application would fail with a 404 error and display a message suggesting that rulesets might be defined instead, but it couldn't actually verify them.

Solution

This PR adds comprehensive support for checking branch rulesets with the same validation criteria as classic branch protection:

• Verifies that pull request reviews are required
• Ensures no bypass allowances are configured

Implementation Details

New GitHub Client Function

Added get_rulesets_for_branch() in github_client.py:

• Fetches all rulesets for a repository using the GitHub API
• Filters for active branch rulesets that apply to the specified branch
• Uses PyGithub's internal requester since the library doesn't have built-in ruleset support yet (PyGithub#2718)

New Validation Function

Added _check_rulesets_for_pull_request_reviews() in check.py:

• Validates that at least one ruleset requires pull request reviews
• Checks for bypass allowances (users, teams, repository_roles, deploy_keys)
• Returns appropriate pass/fail reports with detailed error messages

Updated Target Branch Protection Check

Modified target_branch_protection() to:

• Attempt classic branch protection check first (maintaining backward compatibility)
• When a 404 is received, check for rulesets instead of failing immediately
• Provide clear, specific error messages for each failure scenario

Testing

• Added 5 new unit tests covering various ruleset scenarios (no rulesets, missing PR requirement, bypass allowances, valid configuration)
• Added 3 new integration tests for end-to-end validation
• All 65 existing unit tests continue to pass
• Code passes all linting checks (black, isort, pylint, pydocstyle, flake8)

Backward Compatibility

This implementation maintains full backward compatibility:

• Classic branch protection checks work exactly as before
• Ruleset checks only trigger when the classic API returns 404
• No breaking changes to the API or existing functionality
• Error messages clearly indicate whether classic protection or rulesets were checked

Example

# Branch protected with rulesets requiring PR reviews
report = target_branch_protection(
    repository_name="owner/repo",
    branch_name="main",
    source_repository_name="fork/repo"
)
# Returns: Report(result=Result.PASS, reason=None)

# Branch protected with rulesets but no PR requirement
report = target_branch_protection(
    repository_name="owner/repo",
    branch_name="develop",
    source_repository_name="fork/repo"
)
# Returns: Report(result=Result.FAIL, reason="pull request reviews are not required in rulesets...")

Closes #314

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add support for branch rulesets</issue_title>
<issue_description>Repo-policy-compliance only supports checking classic branch protection, but users can also define branch rulesets: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets. The application should support the latter.</issue_description>

Comments on the Issue (you are @copilot in this section)

@amandahla @cbartz is this issue still relevant? @cbartz Hi, yes it is, https://warthogs.atlassian.net/browse/ISD-2134 is the internal ticket. @cbartz Closing as this can be seen as an enhancement proposal and we have an internal ticket to track it.

Fixes #1831

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.