Skip to content

Adding branch protection rules #4

Open
@ghost

Description

The Security Team at the EF would like to assist your project by enhancing their security posture by applying basic branch protection rules for all the repositories of this Github Organization. To do that, we will walk through you the diverse options available, ensuring you can effortlessly you can create PRs that suit your need.

Activity

ghost

ghost commented on Sep 12, 2023

@ghost

In your otterdog configuration file, you can add a branch protection rule for a repo following the example below for a repository called myrepo:

orgs.newRepo(myrepo) {
  ...
  branch_protection_rules: [
    orgs.newBranchProtectionRule(main)
  ],

The snippet above will add a default branch protection rule for the main branch of the repository named myrepo. Setting by default the following features below:

{
  "allows_deletions": false,
  "allows_force_pushes": false,
  "blocks_creations": false,
  "bypass_force_push_allowances": [],
  "bypass_pull_request_allowances": [],
  "dismisses_stale_reviews": false,
  "is_admin_enforced": false,
  "lock_allows_fetch_and_merge": false,
  "lock_branch": false,
  "pattern": "myrepo",
  "push_restrictions": [],
  "require_last_push_approval": false,
  "required_approving_review_count": 2,
  "required_deployment_environments": [],
  "required_status_checks": [
    "eclipse-eca-validation:eclipsefdn/eca"
  ],
  "requires_code_owner_reviews": false,
  "requires_commit_signatures": false,
  "requires_conversation_resolution": false,
  "requires_deployments": false,
  "requires_linear_history": false,
  "requires_pull_request": true,
  "requires_status_checks": true,
  "requires_strict_status_checks": false,
  "restricts_pushes": false,
  "restricts_review_dismissals": false,
  "review_dismissal_allowances": []
}

In case, you need define custom settings. You can play around with the settings by using the playground feature at https://eclipse-cdt.github.io/.eclipsefdn/configuration/. Where you could adjust any default settings. Please find below an example where required_approving_review_count has been configured to 0:

orgs.newRepo(myrepo) {
  ...
  branch_protection_rules: [
    orgs.newBranchProtectionRule(main) {
      required_approving_review_count: 0,
    }
  ],

The PR created to add branch protection rules will not require any approvals to merge, but they will still required before pushing to the main branch.

Furthermore, If you would like to create a template function for branch protection rules in your organization to reuse them, you could do something similar to the example below:

local custom_branch_protection_rule(pattern) = 
  orgs.newBranchProtectionRule(pattern) {
    required_approving_review_count: 0,
  };

and then use that function:

orgs.newRepo(myrepo) {
  ...
  branch_protection_rules: [
    custom_branch_protection_rule(main),
  ],

If you need any help or guidance, please respond to this ticket.

ghost

ghost commented on Sep 12, 2023

@ghost

Finally, please keep in mind that you can get the list of repositories without branch protection rules using otterdog dashboard at https://eclipse-cdt.github.io/.eclipsefdn/configuration/ by clicking on Repositories option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

      Participants

      No participants

      Issue actions

        Adding branch protection rules · Issue #4 · eclipse-cdt/.eclipsefdn