Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding branch protection rules #5

Open
ghost opened this issue Sep 6, 2023 · 5 comments
Open

Adding branch protection rules #5

ghost opened this issue Sep 6, 2023 · 5 comments
Assignees

Comments

@ghost
Copy link

ghost commented Sep 6, 2023

The Security Team at the EF would like to assist your project by enhancing their security posture by applying basic branch protection rules for all the repositories of this Github Organization. To do that, we will walk through you the diverse options available, ensuring you can effortlessly you can create PRs that suit your need.

@ghost
Copy link
Author

ghost commented Sep 6, 2023

In your otterdog configuration file, you can add a branch protection rule for a repo following the example below for a repository called myrepo:

orgs.newRepo('myrepo') {
  ...
  branch_protection_rules: [
    orgs.newBranchProtectionRule('main')
  ],

The snippet above will add a default branch protection rule for the main branch of the repository named myrepo. Setting by default the following features below:

{
  "allows_deletions": false,
  "allows_force_pushes": false,
  "blocks_creations": false,
  "bypass_force_push_allowances": [],
  "bypass_pull_request_allowances": [],
  "dismisses_stale_reviews": false,
  "is_admin_enforced": false,
  "lock_allows_fetch_and_merge": false,
  "lock_branch": false,
  "pattern": "myrepo",
  "push_restrictions": [],
  "require_last_push_approval": false,
  "required_approving_review_count": 2,
  "required_deployment_environments": [],
  "required_status_checks": [
    "eclipse-eca-validation:eclipsefdn/eca"
  ],
  "requires_code_owner_reviews": false,
  "requires_commit_signatures": false,
  "requires_conversation_resolution": false,
  "requires_deployments": false,
  "requires_linear_history": false,
  "requires_pull_request": true,
  "requires_status_checks": true,
  "requires_strict_status_checks": false,
  "restricts_pushes": false,
  "restricts_review_dismissals": false,
  "review_dismissal_allowances": []
}

In case, you need define custom settings. You can play around with the settings by using the playground feature at https://eclipse-volttron.github.io/.eclipsefdn/configuration/. Where you could adjust any default settings. Please find below an example where required_approving_review_count has been configured to 0:

orgs.newRepo('myrepo') {
  ...
  branch_protection_rules: [
    orgs.newBranchProtectionRule('main') {
      required_approving_review_count: 0,
    }
  ],

The PR created to add branch protection rules will not require any approvals to merge, but they will still required before pushing to the main branch.

Furthermore, If you would like to create a template function for branch protection rules in your organization to reuse them, you could do something similar to the example below:

local custom_branch_protection_rule(pattern) = 
  orgs.newBranchProtectionRule(pattern) {
    required_approving_review_count: 0,
  };

and then use that function:

orgs.newRepo('myrepo') {
  ...
  branch_protection_rules: [
    custom_branch_protection_rule('main'),
  ],

If you need any help or guidance, please respond to this ticket.

@ghost
Copy link
Author

ghost commented Sep 6, 2023

Finally, please keep in mind that you can get the list of repositories without branch protection rules using otterdog dashboard at https://eclipse-volttron.github.io/.eclipsefdn/configuration/ by clicking on Repositories option.

@craig8
Copy link
Contributor

craig8 commented Oct 20, 2023

Please assign this to me and I will take care of it.

@netomi
Copy link
Contributor

netomi commented Oct 21, 2023

the project has quite some repos, so adding branch protection rules for all of them could be quite tedious. You may want to take a look at the vert.x project where we defined a template function to create a branch protection rule and then apply it consistently to all repos: https://github.com/eclipse-vertx/.eclipsefdn/blob/main/otterdog/eclipse-vertx.jsonnet

that might be useful for your project as well.

@netomi
Copy link
Contributor

netomi commented Oct 21, 2023

to play around with settings you can use the playground at: https://eclipse-volttron.github.io/.eclipsefdn/playground/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants