apunkt/omnigraph
1
0
Fork 0
mirror of https://github.com/ModernRelay/omnigraph.git synced 2026-06-09 01:35:18 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
omnigraph/scripts/apply-branch-protection.sh
Andrew Altshuler 6bad829ed0
branch-protection: declarative policy + apply script (#89) 
Branch protection on main, declared as code rather than as opaque
GitHub UI state. Pairs with the CODEOWNERS chassis (#88): once this
PR lands and an admin runs the apply script, every PR to main must
satisfy code-owner review and the listed required checks.

Components:

- .github/branch-protection.json — the policy. Edit this to change
  required checks, review counts, etc. Includes a _comment field for
  human readers; the apply script strips it before PUT.
- scripts/apply-branch-protection.sh — idempotent apply via `gh api`.
  Reads back current state for verification. Supports DRY_RUN=1.
- docs/branch-protection.md — explains the policy, how to apply, how
  to change, why declared as code.
- AGENTS.md topic-index row.

Policy summary:

- Required status checks (strict): Classify Changes, Check AGENTS.md
  Links, Test Workspace, Test omnigraph-server --features aws,
  CODEOWNERS / drift, CODEOWNERS / noedit.
- Required approving reviews: 1, must be a code owner.
- Dismiss stale reviews on new commits.
- Required linear history (squash or rebase merges only).
- No force pushes, no deletions, no admin bypasses.
- Required conversation resolution.

What's NOT in this PR:

- Required signed commits — not yet; maintainers must enroll GPG/SSH
  signing first or merges will block.
- Tag protection for v* tags — separate PR.
- Additional required checks (cargo deny, audit, fmt, clippy, CodeQL,
  schema-lint MR-946) — separate PRs as each lands.
- The script is NOT run by CI. Branch-protection changes are admin
  actions; CI-driven auto-apply would defeat the purpose. Manual
  invocation is the audit point.

How to apply after merge:

  ./scripts/apply-branch-protection.sh

Requires gh-CLI auth with repo-admin permissions.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 17:38:20 +03:00

62 lines
2.2 KiB
Bash
Executable file
Raw Permalink Blame History

#!/usr/bin/env bash
# Apply branch protection rules to the main branch.
#
# Requires:
# - `gh` CLI authenticated.
# - Repo-admin or org-admin permissions on ModernRelay/omnigraph.
#
# This script is idempotent: re-running applies whatever is currently
# declared in .github/branch-protection.json. The JSON file is the
# source of truth; this script is the apply mechanism.
#
# Usage:
# ./scripts/apply-branch-protection.sh # apply to main
# REPO=ModernRelay/omnigraph BRANCH=main ./scripts/... # explicit
# DRY_RUN=1 ./scripts/apply-branch-protection.sh # show what would apply
set -euo pipefail
REPO="${REPO:-ModernRelay/omnigraph}"
BRANCH="${BRANCH:-main}"
HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
POLICY_FILE="${POLICY_FILE:-$HERE/../.github/branch-protection.json}"
if [ ! -f "$POLICY_FILE" ]; then
echo "error: policy file not found: $POLICY_FILE" >&2
exit 1
fi
# Strip the _comment field — the GitHub API rejects unknown keys.
PAYLOAD="$(mktemp)"
trap 'rm -f "$PAYLOAD"' EXIT
jq 'del(._comment)' "$POLICY_FILE" > "$PAYLOAD"
if [ "${DRY_RUN:-0}" = "1" ]; then
echo "DRY RUN — would apply to $REPO/$BRANCH:"
echo
cat "$PAYLOAD"
exit 0
fi
echo "Applying branch protection to $REPO/$BRANCH from $POLICY_FILE"
gh api -X PUT "repos/$REPO/branches/$BRANCH/protection" \
--input "$PAYLOAD" \
-H "Accept: application/vnd.github+json" \
> /dev/null
echo "OK"
# Verify by reading back.
echo
echo "Current policy on $REPO/$BRANCH:"
gh api "repos/$REPO/branches/$BRANCH/protection" \
--jq '{
required_status_checks: .required_status_checks.contexts,
strict_status_checks: .required_status_checks.strict,
required_approvals: .required_pull_request_reviews.required_approving_review_count,
require_code_owner_reviews: .required_pull_request_reviews.require_code_owner_reviews,
enforce_admins: .enforce_admins.enabled,
linear_history: .required_linear_history.enabled,
force_pushes_allowed: .allow_force_pushes.enabled,
deletions_allowed: .allow_deletions.enabled,
conversation_resolution_required: .required_conversation_resolution.enabled
}'
Reference in a new issue View git blame Copy permalink