omnigraph/scripts/apply-branch-protection.sh

#!/usr/bin/env bash
# Apply branch protection rules to the main branch.
#
# Requires:
#   - `gh` CLI authenticated.
#   - Repository-admin or org-admin permissions on ModernRelay/omnigraph.
#
# This script is idempotent: re-running applies whatever is currently
# declared in .github/branch-protection.json. The JSON file is the
# source of truth; this script is the apply mechanism.
#
# Usage:
#   ./scripts/apply-branch-protection.sh                    # apply to main
#   REPO=ModernRelay/omnigraph BRANCH=main ./scripts/...    # explicit
#   DRY_RUN=1 ./scripts/apply-branch-protection.sh          # show what would apply

set -euo pipefail

REPO="${REPO:-ModernRelay/omnigraph}"
BRANCH="${BRANCH:-main}"
HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
POLICY_FILE="${POLICY_FILE:-$HERE/../.github/branch-protection.json}"

if [ ! -f "$POLICY_FILE" ]; then
    echo "error: policy file not found: $POLICY_FILE" >&2
    exit 1
fi

# Strip the _comment field — the GitHub API rejects unknown keys.
PAYLOAD="$(mktemp)"
trap 'rm -f "$PAYLOAD"' EXIT
jq 'del(._comment)' "$POLICY_FILE" > "$PAYLOAD"

if [ "${DRY_RUN:-0}" = "1" ]; then
    echo "DRY RUN — would apply to $REPO/$BRANCH:"
    echo
    cat "$PAYLOAD"
    exit 0
fi

echo "Applying branch protection to $REPO/$BRANCH from $POLICY_FILE"
gh api -X PUT "repos/$REPO/branches/$BRANCH/protection" \
    --input "$PAYLOAD" \
    -H "Accept: application/vnd.github+json" \
    > /dev/null
echo "OK"

# Verify by reading back.
echo
echo "Current policy on $REPO/$BRANCH:"
gh api "repos/$REPO/branches/$BRANCH/protection" \
    --jq '{
        required_status_checks: .required_status_checks.contexts,
        strict_status_checks: .required_status_checks.strict,
        required_approvals: .required_pull_request_reviews.required_approving_review_count,
        require_code_owner_reviews: .required_pull_request_reviews.require_code_owner_reviews,
        enforce_admins: .enforce_admins.enabled,
        linear_history: .required_linear_history.enabled,
        force_pushes_allowed: .allow_force_pushes.enabled,
        deletions_allowed: .allow_deletions.enabled,
        conversation_resolution_required: .required_conversation_resolution.enabled
    }'
branch-protection: declarative policy + apply script (#89) Branch protection on main, declared as code rather than as opaque GitHub UI state. Pairs with the CODEOWNERS chassis (#88): once this PR lands and an admin runs the apply script, every PR to main must satisfy code-owner review and the listed required checks. Components: - .github/branch-protection.json — the policy. Edit this to change required checks, review counts, etc. Includes a _comment field for human readers; the apply script strips it before PUT. - scripts/apply-branch-protection.sh — idempotent apply via `gh api`. Reads back current state for verification. Supports DRY_RUN=1. - docs/branch-protection.md — explains the policy, how to apply, how to change, why declared as code. - AGENTS.md topic-index row. Policy summary: - Required status checks (strict): Classify Changes, Check AGENTS.md Links, Test Workspace, Test omnigraph-server --features aws, CODEOWNERS / drift, CODEOWNERS / noedit. - Required approving reviews: 1, must be a code owner. - Dismiss stale reviews on new commits. - Required linear history (squash or rebase merges only). - No force pushes, no deletions, no admin bypasses. - Required conversation resolution. What's NOT in this PR: - Required signed commits — not yet; maintainers must enroll GPG/SSH signing first or merges will block. - Tag protection for v* tags — separate PR. - Additional required checks (cargo deny, audit, fmt, clippy, CodeQL, schema-lint MR-946) — separate PRs as each lands. - The script is NOT run by CI. Branch-protection changes are admin actions; CI-driven auto-apply would defeat the purpose. Manual invocation is the audit point. How to apply after merge: ./scripts/apply-branch-protection.sh Requires gh-CLI auth with repo-admin permissions. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-13 17:38:20 +03:00			`#!/usr/bin/env bash`
			`# Apply branch protection rules to the main branch.`
			`#`
			`# Requires:`
			# - `gh` CLI authenticated.
Rename repo terminology to graph (#118) 2026-05-24 16:46:00 +01:00			`# - Repository-admin or org-admin permissions on ModernRelay/omnigraph.`
branch-protection: declarative policy + apply script (#89) Branch protection on main, declared as code rather than as opaque GitHub UI state. Pairs with the CODEOWNERS chassis (#88): once this PR lands and an admin runs the apply script, every PR to main must satisfy code-owner review and the listed required checks. Components: - .github/branch-protection.json — the policy. Edit this to change required checks, review counts, etc. Includes a _comment field for human readers; the apply script strips it before PUT. - scripts/apply-branch-protection.sh — idempotent apply via `gh api`. Reads back current state for verification. Supports DRY_RUN=1. - docs/branch-protection.md — explains the policy, how to apply, how to change, why declared as code. - AGENTS.md topic-index row. Policy summary: - Required status checks (strict): Classify Changes, Check AGENTS.md Links, Test Workspace, Test omnigraph-server --features aws, CODEOWNERS / drift, CODEOWNERS / noedit. - Required approving reviews: 1, must be a code owner. - Dismiss stale reviews on new commits. - Required linear history (squash or rebase merges only). - No force pushes, no deletions, no admin bypasses. - Required conversation resolution. What's NOT in this PR: - Required signed commits — not yet; maintainers must enroll GPG/SSH signing first or merges will block. - Tag protection for v* tags — separate PR. - Additional required checks (cargo deny, audit, fmt, clippy, CodeQL, schema-lint MR-946) — separate PRs as each lands. - The script is NOT run by CI. Branch-protection changes are admin actions; CI-driven auto-apply would defeat the purpose. Manual invocation is the audit point. How to apply after merge: ./scripts/apply-branch-protection.sh Requires gh-CLI auth with repo-admin permissions. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-13 17:38:20 +03:00			`#`
			`# This script is idempotent: re-running applies whatever is currently`
			`# declared in .github/branch-protection.json. The JSON file is the`
			`# source of truth; this script is the apply mechanism.`
			`#`
			`# Usage:`
			`# ./scripts/apply-branch-protection.sh # apply to main`
			`# REPO=ModernRelay/omnigraph BRANCH=main ./scripts/... # explicit`
			`# DRY_RUN=1 ./scripts/apply-branch-protection.sh # show what would apply`

			`set -euo pipefail`

			`REPO="${REPO:-ModernRelay/omnigraph}"`
			`BRANCH="${BRANCH:-main}"`
			`HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`
			`POLICY_FILE="${POLICY_FILE:-$HERE/../.github/branch-protection.json}"`

			`if [ ! -f "$POLICY_FILE" ]; then`
			`echo "error: policy file not found: $POLICY_FILE" >&2`
			`exit 1`
			`fi`

			`# Strip the _comment field — the GitHub API rejects unknown keys.`
			`PAYLOAD="$(mktemp)"`
			`trap 'rm -f "$PAYLOAD"' EXIT`
			`jq 'del(._comment)' "$POLICY_FILE" > "$PAYLOAD"`

			`if [ "${DRY_RUN:-0}" = "1" ]; then`
			`echo "DRY RUN — would apply to $REPO/$BRANCH:"`
			`echo`
			`cat "$PAYLOAD"`
			`exit 0`
			`fi`

			`echo "Applying branch protection to $REPO/$BRANCH from $POLICY_FILE"`
			`gh api -X PUT "repos/$REPO/branches/$BRANCH/protection" \`
			`--input "$PAYLOAD" \`
			`-H "Accept: application/vnd.github+json" \`
			`> /dev/null`
			`echo "OK"`

			`# Verify by reading back.`
			`echo`
			`echo "Current policy on $REPO/$BRANCH:"`
			`gh api "repos/$REPO/branches/$BRANCH/protection" \`
			`--jq '{`
			`required_status_checks: .required_status_checks.contexts,`
			`strict_status_checks: .required_status_checks.strict,`
			`required_approvals: .required_pull_request_reviews.required_approving_review_count,`
			`require_code_owner_reviews: .required_pull_request_reviews.require_code_owner_reviews,`
			`enforce_admins: .enforce_admins.enabled,`
			`linear_history: .required_linear_history.enabled,`
			`force_pushes_allowed: .allow_force_pushes.enabled,`
			`deletions_allowed: .allow_deletions.enabled,`
			`conversation_resolution_required: .required_conversation_resolution.enabled`
			`}'`