Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding branch protection rules #1

Open
ghost opened this issue Sep 8, 2023 · 4 comments
Open

Adding branch protection rules #1

ghost opened this issue Sep 8, 2023 · 4 comments

Comments

@ghost
Copy link

ghost commented Sep 8, 2023

The Security Team at the EF would like to assist your project by enhancing their security posture by applying basic branch protection rules for all the repositories of this Github Organization. To do that, we will walk through you the diverse options available, ensuring you can effortlessly you can create PRs that suit your need.

@ghost
Copy link
Author

ghost commented Sep 8, 2023

In your otterdog configuration file, you can add a branch protection rule for a repo following the example below for a repository called myrepo:

orgs.newRepo('myrepo') {
  ...
  branch_protection_rules: [
    orgs.newBranchProtectionRule('main')
  ],

The snippet above will add a default branch protection rule for the main branch of the repository named myrepo. Setting by default the following features below:

{
  "allows_deletions": false,
  "allows_force_pushes": false,
  "blocks_creations": false,
  "bypass_force_push_allowances": [],
  "bypass_pull_request_allowances": [],
  "dismisses_stale_reviews": false,
  "is_admin_enforced": false,
  "lock_allows_fetch_and_merge": false,
  "lock_branch": false,
  "pattern": "myrepo",
  "push_restrictions": [],
  "require_last_push_approval": false,
  "required_approving_review_count": 2,
  "required_deployment_environments": [],
  "required_status_checks": [
    "eclipse-eca-validation:eclipsefdn/eca"
  ],
  "requires_code_owner_reviews": false,
  "requires_commit_signatures": false,
  "requires_conversation_resolution": false,
  "requires_deployments": false,
  "requires_linear_history": false,
  "requires_pull_request": true,
  "requires_status_checks": true,
  "requires_strict_status_checks": false,
  "restricts_pushes": false,
  "restricts_review_dismissals": false,
  "review_dismissal_allowances": []
}

In case, you need define custom settings. You can play around with the settings by using the playground feature at https://eclipse-zenoh.github.io/.eclipsefdn/configuration/. Where you could adjust any default settings. Please find below an example where required_approving_review_count has been configured to 0:

orgs.newRepo('myrepo') {
  ...
  branch_protection_rules: [
    orgs.newBranchProtectionRule('main') {
      required_approving_review_count: 0,
    }
  ],

The PR created to add branch protection rules will not require any approvals to merge, but they will still required before pushing to the main branch.

Furthermore, If you would like to create a template function for branch protection rules in your organization to reuse them, you could do something similar to the example below:

local custom_branch_protection_rule(pattern) = 
  orgs.newBranchProtectionRule(pattern) {
    required_approving_review_count: 0,
  };

and then use that function:

orgs.newRepo('myrepo') {
  ...
  branch_protection_rules: [
    custom_branch_protection_rule('main'),
  ],

If you need any help or guidance, please respond to this ticket.

@ghost
Copy link
Author

ghost commented Sep 8, 2023

Finally, please keep in mind that you can get the list of repositories without branch protection rules using otterdog dashboard at https://eclipse-zenoh.github.io/.eclipsefdn/configuration/ by clicking on Repositories option.

@ghost
Copy link
Author

ghost commented Sep 8, 2023

All branch already protected

@ghost ghost closed this as completed Sep 8, 2023
@netomi
Copy link
Contributor

netomi commented Sep 8, 2023

I see many repos without branch protection rules for this org.

@netomi netomi reopened this Sep 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant